7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.8%
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
CVE-2016-10208
Sergej Schumilo and Ralf Spenneberg discovered that a crafted ext4 filesystem could trigger memory corruption when it is mounted. A user that can provide a device or filesystem image to be mounted could use this for denial of service (crash or data corruption) or possibly for privilege escalation.
CVE-2017-8824
Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
CVE-2017-8831
Pengfei Wang discovered that the saa7164 video capture driver re-reads data from a PCI device after validating it. A physically present user able to attach a specially designed PCI device could use this for privilege escalation.
CVE-2017-12190
Vitaly Mayatskikh discovered that the block layer did not correctly count page references for raw I/O from user-space. This can be exploited by a guest VM with access to a host SCSI device for denial of service (memory exhaustion) or potentially for privilege escalation.
CVE-2017-13080
A vulnerability was found in the WPA2 protocol that could lead to reinstallation of the same Group Temporal Key (GTK), which substantially reduces the security of wifi encryption. This is one of the issues collectively known as ‘KRACK’.
Updates to GTKs are usually handled by the wpa package, where this issue was already fixed (DLA-1150-1). However, some wifi devices can remain active and update GTKs autonomously while the system is suspended. The kernel must also check for and ignore key reinstallation.
CVE-2017-14051
‘shqking’ reported that the qla2xxx SCSI host driver did not correctly validate I/O to the ‘optrom’ sysfs attribute of the devices it creates. This is unlikely to have any security impact.
CVE-2017-15115
Vladis Dronov reported that the SCTP implementation did not correctly handle ‘peel-off’ of an association to another net namespace. This leads to a use-after-free, which a local user can exploit for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the sctp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-sctp.conf install sctp false
CVE-2017-15265
Michael23 Yu reported a race condition in the ALSA sequencer subsystem involving creation and deletion of ports, which could lead to a use-after-free. A local user with access to an ALSA sequencer device can use this for denial of service (crash or data loss) or possibly for privilege escalation.
CVE-2017-15299
Eric Biggers discovered that the KEYS subsystem did not correctly handle update of an uninstantiated key, leading to a null dereference.
A local user can use this for denial of service (crash).
CVE-2017-15649
‘nixioaming’ reported a race condition in the packet socket (AF_PACKET) implementation involving rebinding to a fanout group, which could lead to a use-after-free. A local user with the CAP_NET_RAW capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.
CVE-2017-15868
Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.
CVE-2017-16525
Andrey Konovalov reported that the USB serial console implementation did not correctly handle disconnection of unusual serial devices, leading to a use-after-free. A similar issue was found in the case where setup of a serial console fails. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or data corruption) or possibly for privilege escalation.
CVE-2017-16527
Andrey Konovalov reported that the USB sound mixer driver did not correctly cancel I/O in case it failed to probe a device, which could lead to a use-after-free. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or data corruption) or possibly for privilege escalation.
CVE-2017-16529
Andrey Konovalov reported that the USB sound driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).
CVE-2017-16531
Andrey Konovalov reported that the USB core did not validate IAD lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).
CVE-2017-16532
Andrey Konovalov reported that the USB test driver did not correctly handle devices with specific combinations of endpoints. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).
CVE-2017-16533
Andrey Konovalov reported that the USB HID driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).
CVE-2017-16535
Andrey Konovalov reported that the USB core did not validate BOS descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).
CVE-2017-16536
Andrey Konovalov reported that the cx231xx video capture driver did not fully validate the device endpoint configuration, which could lead to a null dereference. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).
CVE-2017-16537
Andrey Konovalov reported that the imon RC driver did not fully validate the device interface configuration, which could lead to a null dereference. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).
CVE-2017-16643
Andrey Konovalov reported that the gtco tablet driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).
CVE-2017-16649
Bjørn Mork found that the cdc_ether network driver did not validate the device’s maximum segment size, potentially leading to a division by zero. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).
CVE-2017-16939
Mohamed Ghannam reported (through Beyond Security’s SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.
CVE-2017-1000407
Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host.
For Debian 7 ‘Wheezy’, these problems have been fixed in version 3.2.96-2. This version also includes bug fixes from upstream versions up to and including 3.2.96. It also fixes some regressions caused by the fix for CVE-2017-1000364, which was included in DLA-993-1.
We recommend that you upgrade your linux packages.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1200-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(105116);
script_version("3.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_cve_id("CVE-2016-10208", "CVE-2017-1000407", "CVE-2017-12190", "CVE-2017-13080", "CVE-2017-14051", "CVE-2017-15115", "CVE-2017-15265", "CVE-2017-15299", "CVE-2017-15649", "CVE-2017-15868", "CVE-2017-16525", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16532", "CVE-2017-16533", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16643", "CVE-2017-16649", "CVE-2017-16939", "CVE-2017-8824", "CVE-2017-8831");
script_xref(name:"IAVA", value:"2017-A-0310");
script_name(english:"Debian DLA-1200-1 : linux security update (KRACK)");
script_summary(english:"Checks dpkg output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2016-10208
Sergej Schumilo and Ralf Spenneberg discovered that a crafted ext4
filesystem could trigger memory corruption when it is mounted. A user
that can provide a device or filesystem image to be mounted could use
this for denial of service (crash or data corruption) or possibly for
privilege escalation.
CVE-2017-8824
Mohamed Ghannam discovered that the DCCP implementation did not
correctly manage resources when a socket is disconnected and
reconnected, potentially leading to a use-after-free. A local user
could use this for denial of service (crash or data corruption) or
possibly for privilege escalation. On systems that do not already have
the dccp module loaded, this can be mitigated by disabling it: echo >>
/etc/modprobe.d/disable-dccp.conf install dccp false
CVE-2017-8831
Pengfei Wang discovered that the saa7164 video capture driver re-reads
data from a PCI device after validating it. A physically present user
able to attach a specially designed PCI device could use this for
privilege escalation.
CVE-2017-12190
Vitaly Mayatskikh discovered that the block layer did not correctly
count page references for raw I/O from user-space. This can be
exploited by a guest VM with access to a host SCSI device for denial
of service (memory exhaustion) or potentially for privilege
escalation.
CVE-2017-13080
A vulnerability was found in the WPA2 protocol that could lead to
reinstallation of the same Group Temporal Key (GTK), which
substantially reduces the security of wifi encryption. This is one of
the issues collectively known as 'KRACK'.
Updates to GTKs are usually handled by the wpa package,
where this issue was already fixed (DLA-1150-1). However,
some wifi devices can remain active and update GTKs
autonomously while the system is suspended. The kernel must
also check for and ignore key reinstallation.
CVE-2017-14051
'shqking' reported that the qla2xxx SCSI host driver did not correctly
validate I/O to the 'optrom' sysfs attribute of the devices it
creates. This is unlikely to have any security impact.
CVE-2017-15115
Vladis Dronov reported that the SCTP implementation did not correctly
handle 'peel-off' of an association to another net namespace. This
leads to a use-after-free, which a local user can exploit for denial
of service (crash or data corruption) or possibly for privilege
escalation. On systems that do not already have the sctp module
loaded, this can be mitigated by disabling it: echo >>
/etc/modprobe.d/disable-sctp.conf install sctp false
CVE-2017-15265
Michael23 Yu reported a race condition in the ALSA sequencer subsystem
involving creation and deletion of ports, which could lead to a
use-after-free. A local user with access to an ALSA sequencer device
can use this for denial of service (crash or data loss) or possibly
for privilege escalation.
CVE-2017-15299
Eric Biggers discovered that the KEYS subsystem did not correctly
handle update of an uninstantiated key, leading to a null dereference.
A local user can use this for denial of service (crash).
CVE-2017-15649
'nixioaming' reported a race condition in the packet socket
(AF_PACKET) implementation involving rebinding to a fanout group,
which could lead to a use-after-free. A local user with the
CAP_NET_RAW capability can use this for denial of service (crash or
data corruption) or possibly for privilege escalation.
CVE-2017-15868
Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP)
implementation did not validate the type of the second socket passed
to the BNEPCONNADD ioctl(), which could lead to memory corruption. A
local user with the CAP_NET_ADMIN capability can use this for denial
of service (crash or data corruption) or possibly for privilege
escalation.
CVE-2017-16525
Andrey Konovalov reported that the USB serial console implementation
did not correctly handle disconnection of unusual serial devices,
leading to a use-after-free. A similar issue was found in the case
where setup of a serial console fails. A physically present user with
a specially designed USB device can use this to cause a denial of
service (crash or data corruption) or possibly for privilege
escalation.
CVE-2017-16527
Andrey Konovalov reported that the USB sound mixer driver did not
correctly cancel I/O in case it failed to probe a device, which could
lead to a use-after-free. A physically present user with a specially
designed USB device can use this to cause a denial of service (crash
or data corruption) or possibly for privilege escalation.
CVE-2017-16529
Andrey Konovalov reported that the USB sound driver did not fully
validate descriptor lengths, which could lead to a buffer over-read. A
physically present user with a specially designed USB device may be
able to use this to cause a denial of service (crash).
CVE-2017-16531
Andrey Konovalov reported that the USB core did not validate IAD
lengths, which could lead to a buffer over-read. A physically present
user with a specially designed USB device may be able to use this to
cause a denial of service (crash).
CVE-2017-16532
Andrey Konovalov reported that the USB test driver did not correctly
handle devices with specific combinations of endpoints. A physically
present user with a specially designed USB device can use this to
cause a denial of service (crash).
CVE-2017-16533
Andrey Konovalov reported that the USB HID driver did not fully
validate descriptor lengths, which could lead to a buffer over-read. A
physically present user with a specially designed USB device may be
able to use this to cause a denial of service (crash).
CVE-2017-16535
Andrey Konovalov reported that the USB core did not validate BOS
descriptor lengths, which could lead to a buffer over-read. A
physically present user with a specially designed USB device may be
able to use this to cause a denial of service (crash).
CVE-2017-16536
Andrey Konovalov reported that the cx231xx video capture driver did
not fully validate the device endpoint configuration, which could lead
to a null dereference. A physically present user with a specially
designed USB device can use this to cause a denial of service (crash).
CVE-2017-16537
Andrey Konovalov reported that the imon RC driver did not fully
validate the device interface configuration, which could lead to a
null dereference. A physically present user with a specially designed
USB device can use this to cause a denial of service (crash).
CVE-2017-16643
Andrey Konovalov reported that the gtco tablet driver did not fully
validate descriptor lengths, which could lead to a buffer over-read. A
physically present user with a specially designed USB device may be
able to use this to cause a denial of service (crash).
CVE-2017-16649
Bjørn Mork found that the cdc_ether network driver did not
validate the device's maximum segment size, potentially leading to a
division by zero. A physically present user with a specially designed
USB device can use this to cause a denial of service (crash).
CVE-2017-16939
Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure
Disclosure program) that the IPsec (xfrm) implementation did not
correctly handle some failure cases when dumping policy information
through netlink. A local user with the CAP_NET_ADMIN capability can
use this for denial of service (crash or data corruption) or possibly
for privilege escalation.
CVE-2017-1000407
Andrew Honig reported that the KVM implementation for Intel processors
allowed direct access to host I/O port 0x80, which is not generally
safe. On some systems this allows a guest VM to cause a denial of
service (crash) of the host.
For Debian 7 'Wheezy', these problems have been fixed in version
3.2.96-2. This version also includes bug fixes from upstream versions
up to and including 3.2.96. It also fixes some regressions caused by
the fix for CVE-2017-1000364, which was included in DLA-993-1.
We recommend that you upgrade your linux packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html"
);
script_set_attribute(
attribute:"solution",
value:"Upgrade the affected linux package."
);
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/06");
script_set_attribute(attribute:"patch_publication_date", value:"2017/12/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/11");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.96-2")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | linux | p-cpe:/a:debian:debian_linux:linux |
debian | debian_linux | 7.0 | cpe:/o:debian:debian_linux:7.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000407
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12190
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14051
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15115
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15299
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15868
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16643
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16939
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8824
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831
lists.debian.org/debian-lts-announce/2017/12/msg00004.html
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.8%