{"ics": [{"lastseen": "2019-12-11T14:21:39", "bulletinFamily": "info", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.5**\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor: **Siemens\n * **Equipment: **Industrial Products\n * **Vulnerabilities:** Integer Overflow or Wraparound, Uncontrolled Resource Consumption\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the updated advisory titled ICSA-19-253-03 Siemens Industrial Products (Update B) that was published November 14, 2019, on the ICS webpage on us-cert.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could cause denial-of-service condition.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nSiemens reports the vulnerabilities affect the following industrial products:\n\n**\\--------- Begin Update C Part 1 of 2 ---------**\n\n * CM 1542-1: All versions\n * CP 1242-7: All versions\n * CP 1243-1 (incl. SIPLUS variant): All versions\n * CP 1243-7 LTE EU: All versions\n * CP 1243-7 LTE US: All versions\n * CP 1243-8 IRC: All versions\n * CP 1542SP-1 (incl. SIPLUS variant): All versions\n * CP 1542SP-1 IRC: All versions\n * CP 1543-1: All versions\n * CP 1543SP-1 (incl. SIPLUS variant): All versions\n * CloudConnect 712: All versions prior to 1.1.5\n * ROX II: All versions (Only vulnerable to CVE-2019-11479)\n * RUGGEDCOM RM1224: All versions\n * SCALANCE M800: All versions\n * SCALANCE M875: All versions\n * SCALANCE S615: All versions\n * SCALANCE SC-600: All versions prior to 2.0.1\n * SCALANCE W-700 (IEEE 802.11n): All versions prior to 6.4\n * SCALANCE W1700: All versions\n * SCALANCE WLC711: All versions\n * SCALANCE WLC712: All versions\n * SIMATIC ITC1500: All versions\n * SIMATIC ITC1500 PRO: All versions\n * SIMATIC ITC1900: All versions\n * SIMATIC ITC1900 PRO: All versions\n * SIMATIC ITC2200: All versions\n * SIMATIC ITC2200 PRO: All versions\n * SIMATIC MV500: All versions prior to 1.2\n * SIMATIC RF185C: All versions\n * SIMATIC RF186C: All versions\n * SIMATIC RF186CI: All versions\n * SIMATIC RF188C: All versions\n * SIMATIC RF188CI: All versions\n * SIMATIC RF600R: All versions\n * SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (incl. SIPLUS variant): All versions\n * SIMATIC Teleserver Adapter IE Advanced: All versions\n * SIMATIC Teleserver Adapter IE Basic: All versions\n * SINEMA Remote Connect Server: All versions prior to 2.0 SP1\n * SINUMERIK 808D: All versions prior to 4.92\n * SINUMERIK 828D: All versions prior to 4.8 SP5\n * SINUMERIK 840D sl: All versions prior to 4.8 SP5\n * TIM 1531 IRC (incl. SIPLUS variant): All versions\n\n**\\--------- End Update C Part 1 of 2 ---------**\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nThe kernel is affected by an integer overflow when handling TCP Selective Acknowledgements, which could allow a remote attacker to cause a denial-of-service condition.\n\n[CVE-2019-11477](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11477>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 4.2.2 [UNCONTROLLED RESOURCE CONSUMPTION CWE-400](<https://cwe.mitre.org/data/definitions/400.html>)\n\nA remote attacker sending specially crafted TCP Selective Acknowledgment (SACK) sequences may cause a denial-of-service condition.\n\n[CVE-2019-11478](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11478>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>)).\n\n#### 4.2.3 [UNCONTROLLED RESOURCE CONSUMPTION CWE-400](<https://cwe.mitre.org/data/definitions/400.html>)\n\nAn attacker may exploit a vulnerability in the TCP retransmission queue implementation kernel when handling TCP Selective Acknowledgements (SACK) to cause a denial-of-service condition.\n\n[CVE-2019-11479](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11479>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 4.4 RESEARCHER\n\nSiemens reported theses vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\nSiemens recommends users follow the specific workarounds and mitigations below. Siemens has also released fixes for the following products:\n\n * CloudConnect 712: [Update to v1.1.5](<https://support.industry.siemens.com/cs/ww/en/view/109769636>)\n * SCALANCE M875: Upgrade hardware to SCALANCE M876-4 or RUGGEDCOM RM1224 and apply patches when available\n * SCALANCE SC-600: [Update to v2.0.1](<https://support.industry.siemens.com/cs/ww/en/view/109769665>)\n\n**\\--------- Begin Update C Part 2 of 2 ---------**\n\n * SCALANCE W700 (IEEE 802.11n): [Update to v6.4 or newer](<https://support.industry.siemens.com/cs/ww/en/view/109773308>)\n\n**\\--------- End Update C Part 2 of 2 --------- **\n\n * SIMATIC MV500: [Update to v1.2](<https://support.industry.siemens.com/cs/ww/en/view/109772052>)\n * SINEMA Remote Connect Server: [Update to v2.0 SP1](<https://support.industry.siemens.com/cs/ww/en/view/109770899>)\n * SINUMERIK 808D: Update to v4.92. The update can be obtained from a Siemens representative or via Siemens customer service.\n * SINUMERIK 828D/840D sl: Update to v4.8 SP5. The update can be obtained from a Siemens representative or via Siemens customer service.\n\nSiemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:\n\n * Restrict network access to affected devices\n * Apply defense-in-depth\n\nAs a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens\u2019 [operational guidelines for industrial security](<https://www.siemens.com/cert/operational-guidelines-industrial-security>), and follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: <https://www.siemens.com/industrialsecurity>\n\nFor more information, please see Siemens Security Advisory SSA-462066 at the following location: \n<http://www.siemens.com/cert/advisories>\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the NCCIC at: \n \nEmail: [NCCICCUSTOMERSERVICE@hq.dhs.gov](<mailto:NCCICCUSTOMERSERVICE@hq.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: http://ics-cert.us-cert.gov \nor incident reporting: https://ics-cert.us-cert.gov/Report-Incident?\n\nThe NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2019-12-10T00:00:00", "published": "2019-12-10T00:00:00", "id": "ICSA-19-253-03", "href": "https://www.us-cert.gov//ics/advisories/icsa-19-253-03", "title": "Siemens Industrial Products (Update C)", "type": "ics", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2019-12-13T07:02:40", "bulletinFamily": "scanner", "description": "Jonathan Looney discovered that the Linux kernel default MSS is\nhard-coded to 48 bytes. This allows a remote peer to fragment TCP\nresend queues significantly more than if a larger MSS were enforced. A\nremote attacker could use this to cause a denial of service. This has\nbeen fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127,\n4.19.52, 5.1.11, and is fixed in commits\n967c05aee439e6e5d7d805e195b3a20ef5c433d6 and\n5f3e2bf008c2221478101ee72f5cb4654b9fc363. (CVE-2019-11479)\n\nThe Linux kernel is vulnerable to a flaw that allows attackers sending\ncrafted packets with low maximum segment size (MSS) values to trigger\nexcessive resource consumption.\n\nImpact\n\nBIG-IP\n\nThe BIG-IP system has no exposure to this vulnerability within the\nTraffic Management Microkernel (TMM), including virtual servers and\nvirtual IP addresses (also known as the data plane). However, the\nBIG-IP system is vulnerable via the self IP addresses and the\nmanagement interface (also known as the control plane). A remote\nattacker can exploit this vulnerability to cause a denial of service\n(DoS) by sending a sequence of specially crafted TCP packets.\n\nBackend systems accessed via a FastL4 virtual server\n\nBy its nature as a full-proxy, the BIG-IP system protects backend\nsystems accessed through a standard virtual server, as any attacker", "modified": "2019-12-02T00:00:00", "id": "F5_BIGIP_SOL35421172.NASL", "href": "https://www.tenable.com/plugins/nessus/129313", "published": "2019-09-25T00:00:00", "title": "F5 Networks BIG-IP : Excess resource consumption due to low MSS values vulnerability (K35421172) (SACK Slowness)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K35421172.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129313);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/07 15:15:27\");\n\n script_cve_id(\"CVE-2019-11479\");\n\n script_name(english:\"F5 Networks BIG-IP : Excess resource consumption due to low MSS values vulnerability (K35421172) (SACK Slowness)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jonathan Looney discovered that the Linux kernel default MSS is\nhard-coded to 48 bytes. This allows a remote peer to fragment TCP\nresend queues significantly more than if a larger MSS were enforced. A\nremote attacker could use this to cause a denial of service. This has\nbeen fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127,\n4.19.52, 5.1.11, and is fixed in commits\n967c05aee439e6e5d7d805e195b3a20ef5c433d6 and\n5f3e2bf008c2221478101ee72f5cb4654b9fc363. (CVE-2019-11479)\n\nThe Linux kernel is vulnerable to a flaw that allows attackers sending\ncrafted packets with low maximum segment size (MSS) values to trigger\nexcessive resource consumption.\n\nImpact\n\nBIG-IP\n\nThe BIG-IP system has no exposure to this vulnerability within the\nTraffic Management Microkernel (TMM), including virtual servers and\nvirtual IP addresses (also known as the data plane). However, the\nBIG-IP system is vulnerable via the self IP addresses and the\nmanagement interface (also known as the control plane). A remote\nattacker can exploit this vulnerability to cause a denial of service\n(DoS) by sending a sequence of specially crafted TCP packets.\n\nBackend systems accessed via a FastL4 virtual server\n\nBy its nature as a full-proxy, the BIG-IP system protects backend\nsystems accessed through a standard virtual server, as any attacker's\nTCP connection would be terminated at the BIG-IP system. However,\nbackend systems accessed via a FastL4 virtual server(a virtual server\nconfigured with a FastL4 profile) are exposed by default as the attack\ntraffic is forwarded as-is to the backend system.\n\nTraffix SDC\n\nA remote attacker can exploit this vulnerability to cause a DoS by\nsending a sequence of specially crafted TCP packets.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K35421172\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K35421172.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K35421172\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"15.0.0-15.0.1\",\"14.0.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.5.2-11.6.5\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"14.1.2.1\",\"11.6.5.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-13T08:51:53", "bulletinFamily": "scanner", "description": "The version of Palo Alto Networks PAN-OS running on the remote host is 7.1.x prior to 7.1.24 or 8.0.x prior to 8.0.19 or\n8.1.x prior to 8.1.8-h5 or 9.0.x prior to 9.0.2-h4. It is, therefore, affected by multiple vulnerabilities.\n\n- An integer overflow condition exists in Linux kernel", "modified": "2019-12-02T00:00:00", "id": "PALO_ALTO_PAN-SA-2019-0013.NASL", "href": "https://www.tenable.com/plugins/nessus/129302", "published": "2019-09-25T00:00:00", "title": "Palo Alto Networks PAN-OS 7.1.x < 7.1.24 / 8.0.x < 8.0.19 / 8.1.x < 8.1.8-h5 / 9.0.x < 9.0.2-h4 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129302);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/09/25 8:43:50\");\n\n script_cve_id(\"CVE-2019-11477\", \"CVE-2019-11478\", \"CVE-2019-11479\");\n\n script_bugtraq_id(108801, 108798, 108818);\n\n script_name(english:\"Palo Alto Networks PAN-OS 7.1.x < 7.1.24 / 8.0.x < 8.0.19 / 8.1.x < 8.1.8-h5 / 9.0.x < 9.0.2-h4 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PAN-OS host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Palo Alto Networks PAN-OS running on the remote host is 7.1.x prior to 7.1.24 or 8.0.x prior to 8.0.19 or\n8.1.x prior to 8.1.8-h5 or 9.0.x prior to 9.0.2-h4. It is, therefore, affected by multiple vulnerabilities.\n\n- An integer overflow condition exists in Linux kernel's networking subsystem processed TCP Selective Acknowledgment\n (SACK) segments. An unauthenticated, remote attacker can exploit this, via by sending a crafted sequence of SACK\n segments on a TCP connection with small value of TCP MSS, resulting in a denial of service (DoS) to cause a crash\n Linux kernel.(CVE-2019-11477)\n\n- An excessive resource consumption flaw was found in the Linux kernel's networking subsystem processed TCP Selective\n Acknowledgment (SACK) segments. An unauthenticated, remote attacker can exploit this, via by sending a crafted\n sequence of SACK segments on a TCP connection, to cause a denial of service condition. (CVE-2019-11478)\n\n- An excessive resource consumption flaw was found in the Linux kernel's networking subsystem processed TCP segments.\n An unauthenticated, remote attacker can exploit this, via repeatedly sending network traffic on TCP connection with\n low TCP MSS, resulting in a denial of service (Dos). (CVE-2019-11479)\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/151\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PAN-OS 7.1.24 / 8.0.19 / 8.1.8-h5 / 9.0.2-h4 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11477\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_name = 'Palo Alto Networks PAN-OS';\n\napp_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Palo_Alto/Firewall/Full_Version', kb_source:'Host/Palo_Alto/Firewall/Source');\n\nconstraints = [\n { 'min_version' : '7.1.0', 'max_version' : '7.1.23', 'fixed_display' : '7.1.24' },\n { 'min_version' : '8.0.0', 'max_version' : '8.0.18', 'fixed_display' : '8.0.19' },\n { 'min_version' : '8.1.0', 'max_version' : '8.1.8-h4', 'fixed_display' : '8.1.8-h5' },\n { 'min_version' : '9.0.0', 'max_version' : '9.0.2-h3', 'fixed_display' : '9.0.2-h4' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:14:27", "bulletinFamily": "scanner", "description": "The remote NewStart CGSL host, running version MAIN 4.06, has kernel packages installed that are affected by multiple\nvulnerabilities:\n\n - The Salsa20 encryption algorithm in the Linux kernel\n before 4.14.8 does not correctly handle zero-length\n inputs, allowing a local attacker able to use the\n AF_ALG-based skcipher interface\n (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of\n service (uninitialized-memory free and kernel crash) or\n have unspecified other impact by executing a crafted\n sequence of system calls that use the blkcipher_walk\n API. Both the generic implementation\n (crypto/salsa20_generic.c) and x86 implementation\n (arch/x86/crypto/salsa20_glue.c) of Salsa20 were\n vulnerable. (CVE-2017-17805)\n\n - The mincore() implementation in mm/mincore.c in the\n Linux kernel through 4.19.13 allowed local attackers to\n observe page cache access patterns of other processes on\n the same system, potentially allowing sniffing of secret\n information. (Fixing this affects the output of the\n fincore program.) Limited remote exploitation may be\n possible, as demonstrated by latency differences in\n accessing public files from an Apache HTTP Server.\n (CVE-2019-5489)\n\n - An issue was discovered in the proc_pid_stack function\n in fs/proc/base.c in the Linux kernel through 4.18.11.\n It does not ensure that only root may inspect the kernel\n stack of an arbitrary task, allowing a local attacker to\n exploit racy stack unwinding and leak kernel task stack\n contents. (CVE-2018-17972)\n\n - Jonathan Looney discovered that the\n TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an\n integer overflow in the Linux kernel when handling TCP\n Selective Acknowledgments (SACKs). A remote attacker\n could use this to cause a denial of service. This has\n been fixed in stable kernel releases 4.4.182, 4.9.182,\n 4.14.127, 4.19.52, 5.1.11, and is fixed in commit\n 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.\n (CVE-2019-11477)\n\n - A double-free can happen in idr_remove_all() in\n lib/idr.c in the Linux kernel 2.6 branch. An\n unprivileged local attacker can use this flaw for a\n privilege escalation or for a system crash and a denial\n of service (DoS). (CVE-2019-3896)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory, aka ", "modified": "2019-12-02T00:00:00", "id": "NEWSTART_CGSL_NS-SA-2019-0177_KERNEL.NASL", "href": "https://www.tenable.com/plugins/nessus/128689", "published": "2019-09-11T00:00:00", "title": "NewStart CGSL MAIN 4.06 : kernel Multiple Vulnerabilities (NS-SA-2019-0177)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0177. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128689);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/17 14:31:05\");\n\n script_cve_id(\n \"CVE-2017-17805\",\n \"CVE-2018-17972\",\n \"CVE-2019-1125\",\n \"CVE-2019-3896\",\n \"CVE-2019-5489\",\n \"CVE-2019-11477\",\n \"CVE-2019-11478\",\n \"CVE-2019-11479\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.06 : kernel Multiple Vulnerabilities (NS-SA-2019-0177)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.06, has kernel packages installed that are affected by multiple\nvulnerabilities:\n\n - The Salsa20 encryption algorithm in the Linux kernel\n before 4.14.8 does not correctly handle zero-length\n inputs, allowing a local attacker able to use the\n AF_ALG-based skcipher interface\n (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of\n service (uninitialized-memory free and kernel crash) or\n have unspecified other impact by executing a crafted\n sequence of system calls that use the blkcipher_walk\n API. Both the generic implementation\n (crypto/salsa20_generic.c) and x86 implementation\n (arch/x86/crypto/salsa20_glue.c) of Salsa20 were\n vulnerable. (CVE-2017-17805)\n\n - The mincore() implementation in mm/mincore.c in the\n Linux kernel through 4.19.13 allowed local attackers to\n observe page cache access patterns of other processes on\n the same system, potentially allowing sniffing of secret\n information. (Fixing this affects the output of the\n fincore program.) Limited remote exploitation may be\n possible, as demonstrated by latency differences in\n accessing public files from an Apache HTTP Server.\n (CVE-2019-5489)\n\n - An issue was discovered in the proc_pid_stack function\n in fs/proc/base.c in the Linux kernel through 4.18.11.\n It does not ensure that only root may inspect the kernel\n stack of an arbitrary task, allowing a local attacker to\n exploit racy stack unwinding and leak kernel task stack\n contents. (CVE-2018-17972)\n\n - Jonathan Looney discovered that the\n TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an\n integer overflow in the Linux kernel when handling TCP\n Selective Acknowledgments (SACKs). A remote attacker\n could use this to cause a denial of service. This has\n been fixed in stable kernel releases 4.4.182, 4.9.182,\n 4.14.127, 4.19.52, 5.1.11, and is fixed in commit\n 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.\n (CVE-2019-11477)\n\n - A double-free can happen in idr_remove_all() in\n lib/idr.c in the Linux kernel 2.6 branch. An\n unprivileged local attacker can use this flaw for a\n privilege escalation or for a system crash and a denial\n of service (DoS). (CVE-2019-3896)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory, aka 'Windows Kernel Information\n Disclosure Vulnerability'. This CVE ID is unique from\n CVE-2019-1071, CVE-2019-1073. (CVE-2019-1125)\n\n - Jonathan Looney discovered that the TCP retransmission\n queue implementation in tcp_fragment in the Linux kernel\n could be fragmented when handling certain TCP Selective\n Acknowledgment (SACK) sequences. A remote attacker could\n use this to cause a denial of service. This has been\n fixed in stable kernel releases 4.4.182, 4.9.182,\n 4.14.127, 4.19.52, 5.1.11, and is fixed in commit\n f070ef2ac66716357066b683fb0baf55f8191a2e.\n (CVE-2019-11478)\n\n - Jonathan Looney discovered that the Linux kernel default\n MSS is hard-coded to 48 bytes. This allows a remote peer\n to fragment TCP resend queues significantly more than if\n a larger MSS were enforced. A remote attacker could use\n this to cause a denial of service. This has been fixed\n in stable kernel releases 4.4.182, 4.9.182, 4.14.127,\n 4.19.52, 5.1.11, and is fixed in commits\n 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and\n 5f3e2bf008c2221478101ee72f5cb4654b9fc363.\n (CVE-2019-11479)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0177\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3896\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.06\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.06');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.06\": [\n \"kernel-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-abi-whitelists-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-debug-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-debug-debuginfo-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-debug-devel-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-debuginfo-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-debuginfo-common-x86_64-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-devel-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-doc-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-firmware-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"kernel-headers-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"perf-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"perf-debuginfo-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"python-perf-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\",\n \"python-perf-debuginfo-2.6.32-754.18.2.el6.cgslv4_6.0.28.gda17c11\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:47:00", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2019:1479 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* An integer overflow flaw was found in the way the Linux kernel", "modified": "2019-12-02T00:00:00", "id": "ORACLELINUX_ELSA-2019-1479.NASL", "href": "https://www.tenable.com/plugins/nessus/127590", "published": "2019-08-12T00:00:00", "title": "Oracle Linux 8 : kernel (ELSA-2019-1479) (SACK Panic) (SACK Slowness)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:1479 and \n# Oracle Linux Security Advisory ELSA-2019-1479 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127590);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/27 13:00:39\");\n\n script_cve_id(\"CVE-2019-11477\", \"CVE-2019-11478\", \"CVE-2019-11479\", \"CVE-2019-9213\");\n script_xref(name:\"RHSA\", value:\"2019:1479\");\n\n script_name(english:\"Oracle Linux 8 : kernel (ELSA-2019-1479) (SACK Panic) (SACK Slowness)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2019:1479 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* An integer overflow flaw was found in the way the Linux kernel's\nnetworking subsystem processed TCP Selective Acknowledgment (SACK)\nsegments. While processing SACK segments, the Linux kernel's socket\nbuffer (SKB) data structure becomes fragmented. Each fragment is about\nTCP maximum segment size (MSS) bytes. To efficiently process SACK\nblocks, the Linux kernel merges multiple fragmented SKBs into one,\npotentially overflowing the variable holding the number of segments. A\nremote attacker could use this flaw to crash the Linux kernel by\nsending a crafted sequence of SACK segments on a TCP connection with\nsmall value of TCP MSS, resulting in a denial of service (DoS).\n(CVE-2019-11477)\n\n* kernel: lack of check for mmap minimum address in expand_downwards\nin mm/ mmap.c leads to NULL pointer dereferences exploit on non-SMAP\nplatforms (CVE-2019-9213)\n\n* Kernel: tcp: excessive resource consumption while processing SACK\nblocks allows remote denial of service (CVE-2019-11478)\n\n* Kernel: tcp: excessive resource consumption for TCP connections with\nlow MSS allows remote denial of service (CVE-2019-11479)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nBug Fix(es) :\n\n* [HPE 8.0 Bug] nvme drive power button does not turn off drive\n(BZ#1700288)\n\n* RHEL8.0 - hw csum failure seen in dmesg and console (using\nmlx5/mlx4/ Mellanox) (BZ#1700289)\n\n* RHEL8.0 - vfio-ap: add subsystem to matrix device to avoid libudev\nfailures (kvm) (BZ#1700290)\n\n* [FJ8.1 Bug]: Make Fujitsu Erratum 010001 patch work on A64FX v1r0\n(BZ# 1700901)\n\n* [FJ8.0 Bug]: Fujitsu A64FX processor errata - panic by unknown fault\n(BZ# 1700902)\n\n* RHEL 8.0 Snapshot 4 - nvme create-ns command hangs after creating 20\nnamespaces on Bolt (NVMe) (BZ#1701140)\n\n* [Cavium/Marvell 8.0 qed] Fix qed_mcp_halt() and qed_mcp_resume()\n(backporting bug) (BZ#1704184)\n\n* [Intel 8.1 Bug] PBF: Base frequency display fix (BZ#1706739)\n\n* [RHEL8]read/write operation not permitted to\n/sys/kernel/debug/gcov/reset (BZ#1708100)\n\n* RHEL8.0 - ISST-LTE:pVM:fleetwood:LPM:raylp85:After lpm seeing the\nconsole logs on the the lpar at target side (BZ#1708102)\n\n* RHEL8.0 - Backport support for software count cache flush Spectre v2\nmitigation (BZ#1708112)\n\n* [Regression] RHEL8.0 - System crashed with one stress-ng-mremap\nstressor on Boston (kvm host) (BZ#1708617)\n\n* [intel ice Rhel 8 RC1] ethtool -A ethx causes interfaces to go down\n(BZ# 1709433)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-August/008979.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-cross-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 8\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2019-11477\", \"CVE-2019-11478\", \"CVE-2019-11479\", \"CVE-2019-9213\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2019-1479\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"4.18\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"bpftool-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-abi-whitelists-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-core-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-core-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-cross-headers-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-cross-headers-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-debug-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-debug-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-debug-core-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-debug-core-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-debug-devel-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-debug-devel-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-debug-modules-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-debug-modules-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-debug-modules-extra-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-debug-modules-extra-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-devel-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-devel-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-doc-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-doc-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-headers-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-headers-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-modules-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-modules-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-modules-extra-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-modules-extra-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-tools-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-tools-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-tools-libs-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-tools-libs-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_exists(release:\"EL8\", rpm:\"kernel-tools-libs-devel-4.18.0\") && rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"perf-4.18.0-80.4.2.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"python3-perf-4.18.0-80.4.2.el8_0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:14:07", "bulletinFamily": "scanner", "description": "The remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple\nvulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel", "modified": "2019-12-02T00:00:00", "id": "NEWSTART_CGSL_NS-SA-2019-0168_KERNEL.NASL", "href": "https://www.tenable.com/plugins/nessus/127456", "published": "2019-08-12T00:00:00", "title": "NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0168)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0168. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127456);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/17 14:31:05\");\n\n script_cve_id(\n \"CVE-2019-3896\",\n \"CVE-2019-11477\",\n \"CVE-2019-11478\",\n \"CVE-2019-11479\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0168)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple\nvulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel's networking subsystem processed TCP Selective\n Acknowledgment (SACK) segments. While processing SACK\n segments, the Linux kernel's socket buffer (SKB) data\n structure becomes fragmented. Each fragment is about TCP\n maximum segment size (MSS) bytes. To efficiently process\n SACK blocks, the Linux kernel merges multiple fragmented\n SKBs into one, potentially overflowing the variable\n holding the number of segments. A remote attacker could\n use this flaw to crash the Linux kernel by sending a\n crafted sequence of SACK segments on a TCP connection\n with small value of TCP MSS, resulting in a denial of\n service (DoS). (CVE-2019-11477)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP Selective Acknowledgment (SACK) segments. While\n processing SACK segments, the Linux kernel's socket\n buffer (SKB) data structure becomes fragmented, which\n leads to increased resource utilization to traverse and\n process these fragments as further SACK segments are\n received on the same TCP connection. A remote attacker\n could use this flaw to cause a denial of service (DoS)\n by sending a crafted sequence of SACK segments on a TCP\n connection. (CVE-2019-11478)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP segments. If the Maximum Segment Size (MSS) of a TCP\n connection was set to low values, such as 48 bytes, it\n can leave as little as 8 bytes for the user data, which\n significantly increases the Linux kernel's resource\n (CPU, Memory, and Bandwidth) utilization. A remote\n attacker could use this flaw to cause a denial of\n service (DoS) by repeatedly sending network traffic on a\n TCP connection with low TCP MSS. (CVE-2019-11479)\n\n - A double-free can happen in idr_remove_all() in\n lib/idr.c in the Linux kernel. An unprivileged local\n attacker can use this flaw for a privilege escalation or\n for a system crash and a denial of service (DoS).\n (CVE-2019-3896)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0168\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3896\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.05\": [\n \"kernel-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-abi-whitelists-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-debug-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-debug-debuginfo-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-debug-devel-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-debuginfo-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-debuginfo-common-x86_64-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-devel-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-doc-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-firmware-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"kernel-headers-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"perf-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"perf-debuginfo-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"python-perf-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\",\n \"python-perf-debuginfo-2.6.32-642.13.1.el6.cgslv4_5.0.134.g9e9387e\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:14:00", "bulletinFamily": "scanner", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by\nmultiple vulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel", "modified": "2019-12-02T00:00:00", "id": "NEWSTART_CGSL_NS-SA-2019-0165_KERNEL.NASL", "href": "https://www.tenable.com/plugins/nessus/127451", "published": "2019-08-12T00:00:00", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0165)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0165. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127451);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/18 23:14:15\");\n\n script_cve_id(\"CVE-2019-11477\", \"CVE-2019-11478\", \"CVE-2019-11479\");\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0165)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by\nmultiple vulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel's networking subsystem processed TCP Selective\n Acknowledgment (SACK) segments. While processing SACK\n segments, the Linux kernel's socket buffer (SKB) data\n structure becomes fragmented. Each fragment is about TCP\n maximum segment size (MSS) bytes. To efficiently process\n SACK blocks, the Linux kernel merges multiple fragmented\n SKBs into one, potentially overflowing the variable\n holding the number of segments. A remote attacker could\n use this flaw to crash the Linux kernel by sending a\n crafted sequence of SACK segments on a TCP connection\n with small value of TCP MSS, resulting in a denial of\n service (DoS). (CVE-2019-11477)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP Selective Acknowledgment (SACK) segments. While\n processing SACK segments, the Linux kernel's socket\n buffer (SKB) data structure becomes fragmented, which\n leads to increased resource utilization to traverse and\n process these fragments as further SACK segments are\n received on the same TCP connection. A remote attacker\n could use this flaw to cause a denial of service (DoS)\n by sending a crafted sequence of SACK segments on a TCP\n connection. (CVE-2019-11478)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP segments. If the Maximum Segment Size (MSS) of a TCP\n connection was set to low values, such as 48 bytes, it\n can leave as little as 8 bytes for the user data, which\n significantly increases the Linux kernel's resource\n (CPU, Memory, and Bandwidth) utilization. A remote\n attacker could use this flaw to cause a denial of\n service (DoS) by repeatedly sending network traffic on a\n TCP connection with low TCP MSS. (CVE-2019-11479)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11477\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.05\": [\n \"bpftool-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-abi-whitelists-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-core-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-debug-core-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-debug-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-debug-devel-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-debug-modules-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-debuginfo-common-x86_64-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-devel-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-doc-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-headers-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-modules-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-tools-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-tools-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-tools-libs-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"kernel-tools-libs-devel-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"perf-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"perf-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"python-perf-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\",\n \"python-perf-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.91.g3a74014.lite\"\n ],\n \"CGSL MAIN 5.05\": [\n \"bpftool-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-abi-whitelists-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-debug-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-debug-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-debug-devel-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-debuginfo-common-x86_64-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-devel-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-doc-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-headers-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-tools-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-tools-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-tools-libs-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"kernel-tools-libs-devel-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"perf-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"perf-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"python-perf-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\",\n \"python-perf-debuginfo-3.10.0-957.21.3.el7.cgslv5_5.4.88.gc07cc84\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:13:45", "bulletinFamily": "scanner", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected\nby multiple vulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel", "modified": "2019-12-02T00:00:00", "id": "NEWSTART_CGSL_NS-SA-2019-0162_KERNEL-RT.NASL", "href": "https://www.tenable.com/plugins/nessus/127444", "published": "2019-08-12T00:00:00", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0162)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0162. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127444);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/18 23:14:15\");\n\n script_cve_id(\"CVE-2019-11477\", \"CVE-2019-11478\", \"CVE-2019-11479\");\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0162)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected\nby multiple vulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel's networking subsystem processed TCP Selective\n Acknowledgment (SACK) segments. While processing SACK\n segments, the Linux kernel's socket buffer (SKB) data\n structure becomes fragmented. Each fragment is about TCP\n maximum segment size (MSS) bytes. To efficiently process\n SACK blocks, the Linux kernel merges multiple fragmented\n SKBs into one, potentially overflowing the variable\n holding the number of segments. A remote attacker could\n use this flaw to crash the Linux kernel by sending a\n crafted sequence of SACK segments on a TCP connection\n with small value of TCP MSS, resulting in a denial of\n service (DoS). (CVE-2019-11477)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP Selective Acknowledgment (SACK) segments. While\n processing SACK segments, the Linux kernel's socket\n buffer (SKB) data structure becomes fragmented, which\n leads to increased resource utilization to traverse and\n process these fragments as further SACK segments are\n received on the same TCP connection. A remote attacker\n could use this flaw to cause a denial of service (DoS)\n by sending a crafted sequence of SACK segments on a TCP\n connection. (CVE-2019-11478)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP segments. If the Maximum Segment Size (MSS) of a TCP\n connection was set to low values, such as 48 bytes, it\n can leave as little as 8 bytes for the user data, which\n significantly increases the Linux kernel's resource\n (CPU, Memory, and Bandwidth) utilization. A remote\n attacker could use this flaw to cause a denial of\n service (DoS) by repeatedly sending network traffic on a\n TCP connection with low TCP MSS. (CVE-2019-11479)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0162\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL kernel-rt packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11477\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.04\": [\n \"kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debuginfo-common-x86_64-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-doc-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\"\n ],\n \"CGSL MAIN 5.04\": [\n \"kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debug-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-debuginfo-common-x86_64-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-doc-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\",\n \"kernel-rt-trace-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.16.255.g83b1c3f\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:13:47", "bulletinFamily": "scanner", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by\nmultiple vulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel", "modified": "2019-12-02T00:00:00", "id": "NEWSTART_CGSL_NS-SA-2019-0162_KERNEL.NASL", "href": "https://www.tenable.com/plugins/nessus/127445", "published": "2019-08-12T00:00:00", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0162)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0162. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127445);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/18 23:14:15\");\n\n script_cve_id(\"CVE-2019-11477\", \"CVE-2019-11478\", \"CVE-2019-11479\");\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0162)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by\nmultiple vulnerabilities:\n\n - An integer overflow flaw was found in the way the Linux\n kernel's networking subsystem processed TCP Selective\n Acknowledgment (SACK) segments. While processing SACK\n segments, the Linux kernel's socket buffer (SKB) data\n structure becomes fragmented. Each fragment is about TCP\n maximum segment size (MSS) bytes. To efficiently process\n SACK blocks, the Linux kernel merges multiple fragmented\n SKBs into one, potentially overflowing the variable\n holding the number of segments. A remote attacker could\n use this flaw to crash the Linux kernel by sending a\n crafted sequence of SACK segments on a TCP connection\n with small value of TCP MSS, resulting in a denial of\n service (DoS). (CVE-2019-11477)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP Selective Acknowledgment (SACK) segments. While\n processing SACK segments, the Linux kernel's socket\n buffer (SKB) data structure becomes fragmented, which\n leads to increased resource utilization to traverse and\n process these fragments as further SACK segments are\n received on the same TCP connection. A remote attacker\n could use this flaw to cause a denial of service (DoS)\n by sending a crafted sequence of SACK segments on a TCP\n connection. (CVE-2019-11478)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP segments. If the Maximum Segment Size (MSS) of a TCP\n connection was set to low values, such as 48 bytes, it\n can leave as little as 8 bytes for the user data, which\n significantly increases the Linux kernel's resource\n (CPU, Memory, and Bandwidth) utilization. A remote\n attacker could use this flaw to cause a denial of\n service (DoS) by repeatedly sending network traffic on a\n TCP connection with low TCP MSS. (CVE-2019-11479)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0162\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11477\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.04\": [\n \"kernel-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-core-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-sign-keys-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"perf-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"python-perf-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\",\n \"python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.393.g928e64c.lite\"\n ],\n \"CGSL MAIN 5.04\": [\n \"kernel-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-sign-keys-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"perf-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"python-perf-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\",\n \"python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.16.390.g2d140e8\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:13:54", "bulletinFamily": "scanner", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel-rt packages installed that are affected\nby multiple vulnerabilities:\n\n - Uncacheable memory on some microprocessors utilizing\n speculative execution may allow an authenticated user to\n potentially enable information disclosure via a side\n channel with local access. (CVE-2019-11091)\n\n - An integer overflow flaw was found in the way the Linux\n kernel", "modified": "2019-12-02T00:00:00", "id": "NEWSTART_CGSL_NS-SA-2019-0165_KERNEL-RT.NASL", "href": "https://www.tenable.com/plugins/nessus/127450", "published": "2019-08-12T00:00:00", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0165)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0165. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127450);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/18 23:14:15\");\n\n script_cve_id(\n \"CVE-2019-11091\",\n \"CVE-2019-11477\",\n \"CVE-2019-11478\",\n \"CVE-2019-11479\"\n );\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0165)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel-rt packages installed that are affected\nby multiple vulnerabilities:\n\n - Uncacheable memory on some microprocessors utilizing\n speculative execution may allow an authenticated user to\n potentially enable information disclosure via a side\n channel with local access. (CVE-2019-11091)\n\n - An integer overflow flaw was found in the way the Linux\n kernel's networking subsystem processed TCP Selective\n Acknowledgment (SACK) segments. While processing SACK\n segments, the Linux kernel's socket buffer (SKB) data\n structure becomes fragmented. Each fragment is about TCP\n maximum segment size (MSS) bytes. To efficiently process\n SACK blocks, the Linux kernel merges multiple fragmented\n SKBs into one, potentially overflowing the variable\n holding the number of segments. A remote attacker could\n use this flaw to crash the Linux kernel by sending a\n crafted sequence of SACK segments on a TCP connection\n with small value of TCP MSS, resulting in a denial of\n service (DoS). (CVE-2019-11477)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP Selective Acknowledgment (SACK) segments. While\n processing SACK segments, the Linux kernel's socket\n buffer (SKB) data structure becomes fragmented, which\n leads to increased resource utilization to traverse and\n process these fragments as further SACK segments are\n received on the same TCP connection. A remote attacker\n could use this flaw to cause a denial of service (DoS)\n by sending a crafted sequence of SACK segments on a TCP\n connection. (CVE-2019-11478)\n\n - An excessive resource consumption flaw was found in the\n way the Linux kernel's networking subsystem processed\n TCP segments. If the Maximum Segment Size (MSS) of a TCP\n connection was set to low values, such as 48 bytes, it\n can leave as little as 8 bytes for the user data, which\n significantly increases the Linux kernel's resource\n (CPU, Memory, and Bandwidth) utilization. A remote\n attacker could use this flaw to cause a denial of\n service (DoS) by repeatedly sending network traffic on a\n TCP connection with low TCP MSS. (CVE-2019-11479)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL kernel-rt packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11091\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.05\": [\n \"kernel-rt-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-devel-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-kvm-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-kvm-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debuginfo-common-x86_64-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-devel-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-doc-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-kvm-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-kvm-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-devel-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-kvm-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-kvm-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\"\n ],\n \"CGSL MAIN 5.05\": [\n \"kernel-rt-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-devel-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-kvm-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debug-kvm-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-debuginfo-common-x86_64-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-devel-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-doc-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-kvm-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-kvm-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-devel-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-kvm-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\",\n \"kernel-rt-trace-kvm-debuginfo-3.10.0-957.21.3.rt56.935.el7.cgslv5_5.4.64.g2097f3a\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T06:28:43", "bulletinFamily": "scanner", "description": "According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - An integer overflow flaw was found in the way the Linux\n kernel", "modified": "2019-12-02T00:00:00", "id": "EULEROS_SA-2019-1792.NASL", "href": "https://www.tenable.com/plugins/nessus/127029", "published": "2019-07-25T00:00:00", "title": "EulerOS 2.0 SP8 : kernel (EulerOS-SA-2019-1792)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127029);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/07/25 9:40:28\");\n\n script_cve_id(\n \"CVE-2019-11477\",\n \"CVE-2019-11478\",\n \"CVE-2019-11479\",\n \"CVE-2019-12817\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2019-1792)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - An integer overflow flaw was found in the way the Linux\n kernel's networking subsystem processed TCP Selective\n Acknowledgment (SACK) segments. While processing SACK\n segments, the Linux kernel's socket buffer (SKB) data\n structure becomes fragmented. Each fragment is about\n TCP maximum segment size (MSS) bytes. To efficiently\n process SACK blocks, the Linux kernel merges multiple\n fragmented SKBs into one, potentially overflowing the\n variable holding the number of segments. A remote\n attacker could use this flaw to crash the Linux kernel\n by sending a crafted sequence of SACK segments on a TCP\n connection with small value of TCP MSS, resulting in a\n denial of service (DoS). (CVE-2019-11477)\n\n - Kernel: tcp: excessive resource consumption while\n processing SACK blocks allows remote denial of service\n (CVE-2019-11478)\n\n - Kernel: tcp: excessive resource consumption for TCP\n connections with low MSS allows remote denial of\n service (CVE-2019-11479)\n\n - A flaw was found in the way the Linux kernel's memory\n subsystem on certain 64-bit PowerPCs with the hash page\n table MMU handled memory above 512TB. A local,\n unprivileged user could use this flaw to escalate their\n privileges on the system.(CVE-2019-12817)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1792\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e70bdf42\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"kernel-debuginfo-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"kernel-debuginfo-common-aarch64-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"kernel-devel-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"kernel-headers-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"kernel-tools-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"kernel-tools-libs-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"perf-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\",\n \"python-perf-4.19.36-vhulk1906.3.0.h356.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "cloudfoundry": [{"lastseen": "2019-08-30T04:36:56", "bulletinFamily": "software", "description": "# \n\n## Severity\n\nMedium\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 14.04\n\n## Description\n\nUSN-4041-1 provided updates for the Linux kernel in Ubuntu. This update provides the corresponding updates for the Linux kernel for Ubuntu 16.04 ESM.\n\nUSN-4017-2 fixed vulnerabilities in the Linux kernel. Unfortunately, the update introduced a regression that interfered with networking applications that setup very low SO_SNDBUF values. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nJonathan Looney discovered that the Linux kernel could be coerced into segmenting responses into multiple TCP segments. A remote attacker could construct an ongoing sequence of requests to cause a denial of service. (CVE-2019-11479)\n\nCVEs contained in this USN include: CVE-2019-11479\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3586.x versions prior to 3586.141\n * 3541.x versions prior to 3541.135\n * 3468.x versions prior to 3468.143\n * All other stemcells not listed.\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3586.x versions to 3586.141\n * Upgrade 3541.x versions to 3541.135\n * Upgrade 3468.x versions to 3468.143\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n## References\n\n * [USN-4041-2](<https://usn.ubuntu.com/4041-2>)\n * [CVE-2019-11479](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11479>)\n", "modified": "2019-08-29T00:00:00", "published": "2019-08-29T00:00:00", "id": "CFOUNDRY:5A3C09BA00E9C5521BF90BC72D1721B3", "href": "https://www.cloudfoundry.org/blog/usn-4041-2/", "title": "USN-4041-2: Linux kernel (HWE) update | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-07-30T11:49:29", "bulletinFamily": "software", "description": "## **Severity**\n\nMedium\n\n## **Vendor**\n\nCanonical Ubuntu\n\n## **Versions Affected**\n\n * Canonical Ubuntu 16.04\n\n## **Description**\n\nUSN-4017-1 fixed vulnerabilities in the Linux kernel for Ubuntu. Unfortunately, the update introduced a regression that interfered with networking applications that setup very low SO_SNDBUF values. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nJonathan Looney discovered that the Linux kernel could be coerced into segmenting responses into multiple TCP segments. A remote attacker could construct an ongoing sequence of requests to cause a denial of service. \n\nCVEs contained in this USN include: CVE-2019-11479\n\n## **Affected Cloud Foundry Products and Versions**\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including:\n * 315.x versions prior to 315.64\n * 250.x versions prior to 250.79\n * 170.x versions prior to 170.107\n * 97.x versions prior to 97.132\n * All other stemcells not listed.\n\n## **Mitigation**\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells:\n * Upgrade 315.x versions to 315.64\n * Upgrade 250.x versions to 250.79\n * Upgrade 170.x versions to 170.107\n * Upgrade 97.x versions to 97.132\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n\n## **References**\n\n * [USN-4041-1](<https://usn.ubuntu.com/4041-1>)\n * [CVE-2019-11479](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11479>)\n", "modified": "2019-07-29T00:00:00", "published": "2019-07-29T00:00:00", "id": "CFOUNDRY:4B9A3BCF243ED381ED0645E905D1D406", "href": "https://www.cloudfoundry.org/blog/usn-4041-1/", "title": "USN-4041-1: Linux kernel update | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2019-08-19T21:13:27", "bulletinFamily": "unix", "description": "- [4.18.0-80.7.1_0.OL8]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]\n- Update x509.genkey [Orabug: 24817676]\n[4.18.0-80.7.1_0]\n- [x86] Update stepping values for Whiskey Lake U/Y (David Arcari) [1722372 1704801]\n- [x86] x86/perf/amd: Resolve NMI latency issues for active PMCs (David Arcari) [1722367 1640238]\n- [x86] x86/perf/amd: Resolve race condition when disabling PMC (David Arcari) [1722367 1640238]\n- [edac] EDAC/amd64: Set maximum channel layer size depending on family (Gary Hook) [1722365 1690984]\n- [edac] EDAC/amd64: Adjust printed chip select sizes when interleaved (Gary Hook) [1722365 1690984]\n- [edac] EDAC/amd64: Recognize x16 symbol size (Gary Hook) [1722365 1690984]\n- [edac] EDAC/amd64: Support more than two Unified Memory Controllers (Gary Hook) [1722365 1690984]\n- [edac] EDAC/amd64: Use a macro for iterating over Unified Memory Controllers (Gary Hook) [1722365 1690984]\n- [edac] EDAC, amd64: Add Family 17h, models 10h-2fh support (Gary Hook) [1722365 1690984]\n- [edac] EDAC/amd64: Add Family 17h Model 30h PCI IDs (Aristeu Rozanski) [1722365 1696603]\n- [x86] mark AMD Rome processors supported (David Arcari) [1721972 1520002]\n- [x86] x86/mce: Handle varying MCA bank counts (David Arcari) [1721233 1668779]\n- [iommu] iommu/vt-d: Disable ATS support on untrusted devices (Jerry Snitselaar) [1700376 1692246]\n- [documentation] thunderbolt: Export IOMMU based DMA protection support to userspace (Jerry Snitselaar) [1700376 1692246]\n- [iommu] iommu/vt-d: Do not enable ATS for untrusted devices (Jerry Snitselaar) [1700376 1692246]\n- [iommu] iommu/vt-d: Force IOMMU on for platform opt in hint (Jerry Snitselaar) [1700376 1692246]\n- [pci] PCI / ACPI: Identify untrusted PCI devices (Myron Stowe) [1700376 1704979]\n- [acpi] ACPI / property: Allow multiple property compatible _DSD entries (Myron Stowe) [1700376 1537397]\n- [net] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (Florian Westphal) [1719922 1719923] {CVE-2019-11479}\n- [net] tcp: add tcp_min_snd_mss sysctl (Florian Westphal) [1719922 1719923] {CVE-2019-11479}\n- [net] tcp: tcp_fragment() should apply sane memory limits (Florian Westphal) [1719857 1719858] {CVE-2019-11478}\n- [net] tcp: limit payload size of sacked skbs (Florian Westphal) [1719602 1719603] {CVE-2019-11477}\n[4.18.0-80.6.1_0]\n- [mm] mm: defer ZONE_DEVICE page initialization to the point where we init pgmap (Waiman Long) [1719635 1666538]\n- [mm] mm: create non-atomic version of SetPageReserved for init use (Waiman Long) [1719635 1666538]\n- [mm] mm: provide kernel parameter to allow disabling page init poisoning (Waiman Long) [1719635 1666538]\n- [mm] mm, slub: restore the original intention of prefetch_freepointer() (Rafael Aquini) [1718237 1714671]\n- [security] selinux: do not report error on connect(AF_UNSPEC) (Ondrej Mosnacek) [1717870 1707828]\n- [security] selinux: Check address length before reading address family (Ondrej Mosnacek) [1717870 1707828]\n- [powerpc] powerpc/tm: Fix stack pointer corruption (Desnes Augusto Nunes do Rosario) [1717869 1707635]\n- [md] dm cache metadata: Fix loading discard bitset (Mike Snitzer) [1717868 1701618]\n- [md] dm mpath: fix missing call of path selector type->end_io (Mike Snitzer) [1717804 1686227]\n- [mm] mm/memory.c: do_fault: avoid usage of stale vm_area_struct ('Herton R. Krzesinski') [1717801 1684734]\n- [net] sunrpc: fix 4 more call sites that were using stack memory with a scatterlist (Scott Mayhew) [1717800 1679183]\n- [net] sunrpc: Don't use stack buffer with scatterlist (Scott Mayhew) [1717800 1679183]\n- [scsi] scsi: mpt3sas: Fix kernel panic during expander reset (Tomas Henzl) [1717791 1677693]\n- [security] selinux: always allow mounting submounts (Ondrej Mosnacek) [1717777 1647723]\n- [drm] drm/bufs: Fix Spectre v1 vulnerability (Rob Clark) [1717382 1663467]\n- [drm] drm/ioctl: Fix Spectre v1 vulnerabilities (Rob Clark) [1717382 1663467]\n- [tools] perf annotate: Fix getting source line failure (Michael Petlan) [1716887 1614435]\n- [iommu] iommu/amd: Set exclusion range correctly (Jerry Snitselaar) [1715336 1702766]\n- [iommu] iommu/amd: Reserve exclusion range in iova-domain (Jerry Snitselaar) [1717344 1694835]\n- [kvm] KVM: PPC: Book3S: Add count cache flush parameters to kvmppc_get_cpu_char() (Vitaly Kuznetsov) [1715018 1694456]\n- [s390] kvm: s390: Fix potential spectre warnings (Thomas Huth) [1714754 1702344]\n- [drm] drm/i915/gvt: Fix mmap range check (Alex Williamson) [1713572 1713573] {CVE-2019-11085}\n- [scsi] scsi: megaraid_sas: return error when create DMA pool failed (Tomas Henzl) [1712862 1712863] {CVE-2019-11810}\n[4.18.0-80.5.1_0]\n- [kernel] sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup (Joel Savitz) [1715345 1695651]\n- [kernel] sched/fair: Fix O(nr_cgroups) in the load balancing path (Phil Auld) [1715343 1685636] {CVE-2018-20784}\n- [kernel] sched/fair: Fix insertion in rq->leaf_cfs_rq_list (Phil Auld) [1715343 1685636] {CVE-2018-20784}\n- [kernel] sched/fair: Add tmp_alone_branch assertion (Phil Auld) [1715343 1685636] {CVE-2018-20784}\n- [kernel] sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c (Phil Auld) [1715343 1685636] {CVE-2018-20784}\n- [rpmspec] apply linux-kernel-test.patch when building ('Herton R. Krzesinski') [1715340 1690534]\n- [rpmspec] Fix cross builds (Jiri Olsa) [1715339 1694956]\n- [kernel] sched/fair: Do not re-read ->h_load_next during hierarchical load calculation (Phil Auld) [1715337 1701762]\n- [kvm] KVM: PPC: Book3S HV: Save/restore vrsave register in kvmhv_p9_guest_entry() (Suraj Jitindar Singh) [1714753 1700272]\n- [powerpc] KVM: PPC: Book3S HV: Perserve PSSCR FAKE_SUSPEND bit on guest exit (Suraj Jitindar Singh) [1714751 1689768]\n- [powerpc] powerpc/powernv/ioda: Fix locked_vm counting for memory used by IOMMU tables (David Gibson) [1714746 1674410]\n- [char] ipmi_si: fix use-after-free of resource->name (Tony Camuso) [1714409 1714410] {CVE-2019-11811}\n- [x86] Update stepping values for coffee lake desktop (David Arcari) [1711048 1704800]", "modified": "2019-08-19T00:00:00", "published": "2019-08-19T00:00:00", "id": "ELSA-2019-1959", "href": "http://linux.oracle.com/errata/ELSA-2019-1959.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-20T00:43:58", "bulletinFamily": "unix", "description": "- [4.18.0-80.7.2_0.OL8]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]\n- Update x509.genkey [Orabug: 24817676]\n[4.18.0-80.7.2_0]\n- [x86] x86/entry/64: Use JMP instead of JMPQ (Josh Poimboeuf) [1724500 1724501] {CVE-2019-1125}\n- [x86] x86/speculation: Enable Spectre v1 swapgs mitigations (Josh Poimboeuf) [1724500 1724501] {CVE-2019-1125}\n- [x86] x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations (Josh Poimboeuf) [1724500 1724501] {CVE-2019-1125}\n- [x86] x86/cpufeatures: Combine word 11 and 12 into a new scattered features word (Josh Poimboeuf) [1724500 1724501] {CVE-2019-1125}\n- [x86] x86/cpufeatures: Carve out CQM features retrieval (Josh Poimboeuf) [1724500 1724501] {CVE-2019-1125}\n- [kernel] ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (Aristeu Rozanski) [1730958 1730959] {CVE-2019-13272}", "modified": "2019-08-19T00:00:00", "published": "2019-08-19T00:00:00", "id": "ELSA-2019-2411", "href": "http://linux.oracle.com/errata/ELSA-2019-2411.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-11T00:34:34", "bulletinFamily": "unix", "description": "[2.6.39-400.313.1]\n- ACPI: sbshc: remove raw pointer from printk() message (Greg Kroah-Hartman) [Orabug: 27987133] {CVE-2018-5750}\n- dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao) [Orabug: 27987143] {CVE-2017-18203}\n- tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (Eric Dumazet) [Orabug: 29886601] {CVE-2019-11477}\n- tcp: add tcp_min_snd_mss sysctl (Eric Dumazet) [Orabug: 29884308] {CVE-2019-11479}\n- tcp: tcp_fragment() should apply sane memory limits (Eric Dumazet) [Orabug: 29884308] {CVE-2019-11478}\n- tcp: fix fack_count accounting on tcp_shift_skb_data() (Joao Martins) [Orabug: 29890843] {CVE-2019-11477}\n- tcp: limit payload size of sacked skbs (Eric Dumazet) [Orabug: 29884308] {CVE-2019-11477}", "modified": "2019-08-10T00:00:00", "published": "2019-08-10T00:00:00", "id": "ELSA-2019-4742", "href": "http://linux.oracle.com/errata/ELSA-2019-4742.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2019-07-31T13:44:05", "bulletinFamily": "scanner", "description": "MikroTik RouterOS is prone to multiple denial of service vulnerabilities.", "modified": "2019-07-31T00:00:00", "published": "2019-07-15T00:00:00", "id": "OPENVAS:1361412562310142599", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142599", "title": "MikroTik RouterOS < 6.44.5 (LTS), < 6.45.1 (Stable) Multiple DoS Vulnerabilities", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/o:mikrotik:routeros\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142599\");\n script_version(\"2019-07-31T04:12:14+0000\");\n script_tag(name:\"last_modification\", value:\"2019-07-31 04:12:14 +0000 (Wed, 31 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-15 08:15:04 +0000 (Mon, 15 Jul 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_cve_id(\"CVE-2018-1157\", \"CVE-2018-1158\", \"CVE-2019-11477\", \"CVE-2019-11478\", \"CVE-2019-11479\",\n \"CVE-2019-13954\", \"CVE-2019-13955\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"MikroTik RouterOS < 6.44.5 (LTS), < 6.45.1 (Stable) Multiple DoS Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_mikrotik_router_routeros_consolidation.nasl\");\n script_mandatory_keys(\"mikrotik/detected\");\n\n script_tag(name:\"summary\", value:\"MikroTik RouterOS is prone to multiple denial of service vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"MikroTik RouterOS prior to version 6.44.5 (LTS) and 6.45.1 (Stable).\");\n\n script_tag(name:\"solution\", value:\"Update to version 6.44.5 (LTS), 6.45.1 (Stable) or later.\");\n\n script_xref(name:\"URL\", value:\"https://mikrotik.com/download/changelogs/stable-release-tree\");\n script_xref(name:\"URL\", value:\"https://mikrotik.com/download/changelogs/long-term-release-tree\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"6.44.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.44.5\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version =~ \"^6\\.45\") {\n if (version_is_less(version: version, test_version: \"6.45.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.45.1\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "threatpost": [{"lastseen": "2019-12-06T07:11:46", "bulletinFamily": "info", "description": "Microsoft has addressed 77 vulnerabilities in its July Patch Tuesday update, with 15 of them rated as critical and two known to be under active exploit; and Adobe issued a small group of updates, with surprisingly none for Acrobat Reader or Flash.\n\nEleven of the critical bugs are for scripting engines and browsers, and the four others affect the DHCP Server, GDI+, the .NET Framework and the Azure DevOps Server/Team Foundation Server.\n\n\u201cScripting engine, browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,\u201d according to Patch Tuesday [commentary](<https://blog.qualys.com/laws-of-vulnerabilities/2019/07/09/july-2019-patch-tuesday-77-vulns-15-critical-dhcp-rce-exploited-privesc-sql-adobe-vulns>) from Qualys. \u201cThis includes multi-user servers that are used as remote desktops for users.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>) \nThe Microsoft ChakraCore Scripting Engine, Internet Explorer 11 and Microsoft Edge all have a memory corruption vulnerability in their scripting engine ([CVE-2019-1001](<https://www.symantec.com/security-center/vulnerabilities/writeup/108979?om_rssid=sr-advisories>)) that could lead to RCE.\n\n\u201cThe vulnerability exists in the way that the memory handles objects in memory and successful exploitation could allow an attacker to execute arbitrary code,\u201d said Allan Liska, intelligence analyst at Recorded Future, via email. \u201cAt this point it is almost expected to find a monthly memory corruption vulnerability in the scripting engine Microsoft browsers, as it is still a prime target for attackers who weaponize these vulnerabilities quickly.\u201d\n\nOn the server side, the DHCP Server bug ([CVE-2019-0785](<https://www.symantec.com/security-center/vulnerabilities/writeup/108957?om_rssid=sr-advisories>)) is a remote code-execution (RCE) flaw that exists when the server is configured for failover; an attacker with network access to the failover DHCP server could run arbitrary code. It affects all versions of Windows Server from 2012 to 2019. A very similar vulnerability, CVE-2019-0725, [was patched in May](<https://threatpost.com/microsoft-patches-zero-day/144742/>).\n\n\u201cOne of the most critical vulnerabilities this month is present in Microsoft DHCP Server,\u201d said Liska. \u201cThis memory corruption vulnerability\u2026allows an attacker to send a specially crafted packet to a DHCP server and, if successful in exploitation, execute arbitrary code.\u201d\n\nAnd finally, Azure DevOps Server/Team Foundation Server Azure DevOps Server and Team Foundations Server (TFS) are affected by an RCE vulnerability ([CVE-2019-1072](<https://devblogs.microsoft.com/devops/july-security-release-patches-available-for-azure-devops-server-and-team-foundation-server/>)) that can be exploited through malicious file uploads.\n\n\u201cAnyone who can upload a file can run code in the context of the Azure DevOps/TFS account,\u201d according to Qualys. \u201cThis includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.\u201d\n\nLiska meanwhile noted that successful exploits of this vulnerability require the targeted project to allow anonymous file submissions.\n\n\u201cIf an attacker submitted a specially crafted file to the target project as an anonymous user, they would be able to execute arbitrary code on the target server,\u201d he said. \u201cAzure has not been a big target for exploitation in the past, but this is a vulnerability that should be quickly patched due to the ease with which this vulnerability could be exploited at scale.\u201d\n\n## Actively Exploited Privilege-Escalation Bugs\n\nThe software giant also released important-level patches for two privilege-escalation vulnerabilities in Win32k and splwow64, which are being actively exploited in the wild. Qualys said that the patches, though labeled as important, should be prioritized since they could be chained with other vulnerabilities to provide an attacker with complete system access. In other words, once they have elevated their privilege level, attackers could exploit another vulnerability to allow them to execute code.\n\nThe Win32 flaw ([CVE-2019-1132](<https://www.virusradar.com/en/Win32_Exploit.CVE-2019-1132.A/description>)) affects Windows 7, Server 2008 and Server 2008 R2.\n\n\u201cWhile an attacker would have to gain log on access to the system to execute the exploit, the vulnerability if exploited would allow the attacker to take full control of the system,\u201d said Chris Goettl, director of product management for security at Ivanti, via email.\n\nMeanwhile, the bug in splwow64 ([CVE-2019-0880](<https://www.symantec.com/security-center/vulnerabilities/writeup/108963?om_rssid=sr-advisories>)), which is the print driver host for 32-bit applications, would allow an attacker to go from low to medium-integrity privileges. If the patch can\u2019t be deployed immediately, the vulnerability can be mitigated by disabling the print spooler. It affects Windows 8.1, Server 2012 and later OS.\n\n## Outlook, Linux SACK and Advisories Worth Noting\n\nMicrosoft also issued two notable advisories, one for Outlook on the web and the other for the known Linux kernel vulnerabilities that were disclosed in June \u2013 along with a few other patches that administrators should prioritize, according to researchers.\n\nA cross-site scripting vulnerability in Outlook on the web (formerly OWA) would allow an attacker to send a malicious SVG file to a target in order to exploit it. However, success requires the targeted user to open the image file directly by dragging it to a new tab or pasting the URL into a new tab.\n\n\u201cWhile this is an unlikely attack scenario, [Microsoft recommends](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190021>) blocking SVG images,\u201d according to Qualys.\n\nSeveral denial-of-service (DoS) vulnerabilities meanwhile [were reported in June](<https://threatpost.com/linux-kernel-bug-pcs-iot-offline/145797/>) for the Linux kernel (CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479). Three related flaws were found in the Linux kernel\u2019s handling of TCP networking; the first two are related to TCP Selective Acknowledgement (SACK) packets combined with the Maximum Segment Size parameter, and the third solely with the Maximum Segment Size parameter. The most severe vulnerability (CVE-2019-11477, dubbed SACK Panic) impacts Linux kernels 2.6.29 versions and above. It could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system\u2019s availability.\n\nMicrosoft\u2019s advisory [details the impact](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190020>) of the kernel bugs on its systems.\n\nAlso of note is a patch for an SQL Server RCE flaw ([CVE-2019-1068](<https://www.symantec.com/security-center/vulnerabilities/writeup/108954?om_rssid=sr-advisories>)). This vulnerability is ranked as important, and does require authentication \u2013 however, it could also be chained with SQL injection to allow an attacker to completely compromise the server, according to Qualys, so should be prioritized.\n\nAnd, one of the other patches that researchers said is worth highlighting is CVE-2019-0887, a medium-level vulnerability against Remote Desktop Services (RDS) that was [disclosed by Check Point](<https://www.checkpoint.com/defense/advisories/public/2019/cpai-2019-0826.html>) last month. The bug exists in how RDS handles clipboard redirection, according to Liska. It requires an attacker to have access to an RDS server; when a victim connects to that server, an attacker can exploit the vulnerability to execute arbitrary code on the victim system. The bug affects all versions of Windows from Windows 7 to 10, and Windows Server 2008 to 2019.\n\n## Adobe July Patch Tuesday Updates\n\nAdobe meanwhile issued patches for Bridge CC, Experience Manager and Dreamweaver. Experience Manager is patched for three vulnerabilities, while Bridge and Dreamweaver each have one.\n\nNone are labeled as critical, and the highest rated vulnerability for each software package is labeled as important.\n\n\u201cAdobe released three patches for July, but surprisingly, none are for Adobe Flash or Acrobat Reader,\u201d said Dustin Childs, researcher with Trend Micro\u2019s Zero-Day Initiative (ZDI), in a blog. \u201cInstead, a total of five CVEs are addressed by fixes for Adobe Bridge, Experience Manager, and Dreamweaver. The CVE corrected by the [Bridge](<https://helpx.adobe.com/security/products/bridge/apsb19-37.html>) patch fixes an information disclosure bug and was reported through the ZDI program. The [Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb19-38.html>) patch is the largest this month, with three CVEs referenced. All are input validation bugs. The patch for [Dreamweaver](<https://helpx.adobe.com/security/products/dreamweaver/apsb19-40.html>) corrects a single DLL-loading issue. None of these bugs are listed as being publicly known or under active attack at the time of release.\u201d\n\n**_Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "modified": "2019-07-09T21:04:36", "published": "2019-07-09T21:04:36", "id": "THREATPOST:2ECE427D1900B827769D37FD86AC8265", "href": "https://threatpost.com/microsoft-patches-zero-days-active-attack/146349/", "type": "threatpost", "title": "Microsoft Patches A Pair of Zero-Days Under Active Attack", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-07-09T19:41:27", "bulletinFamily": "blog", "description": "This month\u2019s Microsoft Patch Tuesday addresses 77 vulnerabilities with 15 of them labeled as Critical. Of the 15 Critical vulns, 11 are for scripting engines and browsers, with the remaining four covering DHCP Server, GDI+, .NET Framework, and Azure DevOps Server / Team Foundation Server. In addition, Microsoft has released Important patches for two actively exploited privilege escalation vulnerabilities, as well as a SQL Server RCE. Microsoft also issued two advisories for Outlook on the web and Linux Kernel vulnerabilities. Adobe issued patches today for Bridge CC, Experience Manager, and Dreamweaver.\n\n### Workstation Patches\n\nScripting Engine, Browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### DHCP Server RCE\n\nA Remote Code Execution vulnerability ([CVE-2019-0785](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0785>)) exists in Microsoft's DHCP Server when configured for failover. An attacker with network access to the failover DHCP server could run arbitrary code. This patch should be prioritized for any systems running DHCP in failover mode.\n\n### Actively Attacked Privilege Escalation\n\nMicrosoft released patches for two privilege escalation vulnerabilities ([CVE-2019-1132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1132>) and [CVE-2019-0880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0880>)) in Win32k and splwow64 that have been exploited in the wild. These patches, though labeled as Important, should be prioritized, as they could be chained with other vulnerabilities to provide an attacker with complete system access.\n\n### SQL Server RCE\n\nA Remote Code Execution vulnerability ([CVE-2019-1068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1068>)) in Microsoft SQL Server is also covered in today's patch release. This vulnerability is ranked as Important, and does require authentication. However, this vulnerability could be chained with SQL injection to allow an attacker to completely compromise the server.\n\n### Azure DevOps Server / Team Foundation Server\n\nAzure DevOps Server and Team Foundations Server (TFS) are affected by a Remote Code Execution vulnerability ([CVE-2019-1072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1072>)) that is exploited through malicious file uploads. Anyone who can upload a file can run code in the context of the Azure DevOps / TFS account. This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.\n\n### Outlook on the web XSS\n\nMicrosoft issued an [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190021>) on a cross-site scripting vulnerability in Outlook on the web (formerly OWA). This vulnerability involves an attacker sending a malicious SVG file, but requires the targeted user to open the image file directly by dragging it to a new tab or pasting the URL into a new tab. While this is an unlikely attack scenario, Microsoft recommends blocking SVG images.\n\n### Linux Kernel TCP SACK DoS\n\nSeveral DoS vulnerabilities were [reported](<https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md>) in June for the Linux kernel ([CVE-2019-11477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477>), [CVE-2019-11478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478>), [CVE-2019-11479](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479>)). Microsoft has issued an [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190020>) with information and links regarding these vulnerabilities.\n\n### Adobe Patch Tuesday\n\nAdobe has issued patches for [Bridge CC](<https://helpx.adobe.com/security/products/bridge/apsb19-37.html>), [Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb19-38.html>), and [Dreamweaver](<https://helpx.adobe.com/security/products/dreamweaver/apsb19-40.html>). Experience Manager is patched for three vulns, while Bridge and Dreamweaver each have one. None are labeled as Critical, and the highest rated vuln for each software is Important.", "modified": "2019-07-09T18:12:39", "published": "2019-07-09T18:12:39", "id": "QUALYSBLOG:36C7759879CCF63D810039DBDE053B89", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/07/09/july-2019-patch-tuesday-77-vulns-15-critical-dhcp-rce-exploited-privesc-sql-adobe-vulns", "type": "qualysblog", "title": "July 2019 Patch Tuesday \u2013 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}