This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-1799.NASLDebian DLA-1799-2 : linux security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
EPSS
Percentile
59.5%
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
This updated advisory text adds a note about the need to install new binary packages.
CVE-2018-5995
ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities.
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Multiple researchers have discovered vulnerabilities in the way that Intel processor designs implement speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system, or across guest/host boundaries to read host memory.
See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/m ds.html for more details.
To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) was provided via DLA-1789-1. The updated CPU microcode may also be available as part of a system firmware (‘BIOS’) update.
CVE-2019-2024
A use-after-free bug was discovered in the em28xx video capture driver. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.
CVE-2019-3459, CVE-2019-3460
Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research team discovered missing range checks in the Bluetooth L2CAP implementation.
If Bluetooth is enabled, a nearby attacker could use these to read sensitive information from the kernel.
CVE-2019-3882
It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition).
CVE-2019-3901
Jann Horn of Google reported a race condition that would allow a local user to read performance events from a task after it executes a setuid program. This could leak sensitive information processed by setuid programs. Debian’s kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.
CVE-2019-6133
Jann Horn of Google found that Policykit’s authentication check could be bypassed by a local user creating a process with the same start time and process ID as an older authenticated process. PolicyKit was already updated to fix this in DLA-1644-1. The kernel has additionally been updated to avoid a delay between assigning start time and process ID, which should make the attack impractical.
CVE-2019-9503
Hugues Anguelkov and others at Quarkslab discovered that the brcmfmac (Broadcom wifi FullMAC) driver did not correctly distinguish messages sent by the wifi firmware from other packets. An attacker using the same wifi network could use this for denial of service or to exploit other vulnerabilities in the driver.
CVE-2019-11190
Robert Święcki reported that when a setuid program was executed it was still possible to read performance events while the kernel set up the program’s address space. A local user could use this to defeat ASLR in a setuid program, making it easier to exploit other vulnerabilities in the program. Debian’s kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.
CVE-2019-11486
Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled.
CVE-2019-11599
Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation.
For Debian 8 ‘Jessie’, these problems have been fixed in version 3.16.68-1. This version also includes a fix for Debian bug #927781, and other fixes included in upstream stable updates.
We recommend that you upgrade your linux and linux-latest packages.
You will need to use ‘apt-get upgrade --with-new-pkgs’ or ‘apt upgrade’ as the binary package names have changed.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1799-2. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(125478);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_cve_id("CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2018-5995", "CVE-2019-11091", "CVE-2019-11190", "CVE-2019-11486", "CVE-2019-11599", "CVE-2019-2024", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-3882", "CVE-2019-3901", "CVE-2019-6133", "CVE-2019-9503");
script_name(english:"Debian DLA-1799-2 : linux security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)");
script_summary(english:"Checks dpkg output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
This updated advisory text adds a note about the need to install new
binary packages.
CVE-2018-5995
ADLab of VenusTech discovered that the kernel logged the virtual
addresses assigned to per-CPU data, which could make it easier to
exploit other vulnerabilities.
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Multiple researchers have discovered vulnerabilities in the way that
Intel processor designs implement speculative forwarding of data
filled into temporary microarchitectural structures (buffers). This
flaw could allow an attacker controlling an unprivileged process to
read sensitive information, including from the kernel and all other
processes running on the system, or across guest/host boundaries to
read host memory.
See
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/m
ds.html for more details.
To fully resolve these vulnerabilities it is also necessary
to install updated CPU microcode. An updated intel-microcode
package (only available in Debian non-free) was provided via
DLA-1789-1. The updated CPU microcode may also be available
as part of a system firmware ('BIOS') update.
CVE-2019-2024
A use-after-free bug was discovered in the em28xx video capture
driver. Local users might be able to use this for denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2019-3459, CVE-2019-3460
Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research team
discovered missing range checks in the Bluetooth L2CAP implementation.
If Bluetooth is enabled, a nearby attacker could use these to read
sensitive information from the kernel.
CVE-2019-3882
It was found that the vfio implementation did not limit the number of
DMA mappings to device memory. A local user granted ownership of a
vfio device could use this to cause a denial of service (out-of-memory
condition).
CVE-2019-3901
Jann Horn of Google reported a race condition that would allow a local
user to read performance events from a task after it executes a setuid
program. This could leak sensitive information processed by setuid
programs. Debian's kernel configuration does not allow unprivileged
users to access peformance events by default, which fully mitigates
this issue.
CVE-2019-6133
Jann Horn of Google found that Policykit's authentication check could
be bypassed by a local user creating a process with the same start
time and process ID as an older authenticated process. PolicyKit was
already updated to fix this in DLA-1644-1. The kernel has additionally
been updated to avoid a delay between assigning start time and process
ID, which should make the attack impractical.
CVE-2019-9503
Hugues Anguelkov and others at Quarkslab discovered that the brcmfmac
(Broadcom wifi FullMAC) driver did not correctly distinguish messages
sent by the wifi firmware from other packets. An attacker using the
same wifi network could use this for denial of service or to exploit
other vulnerabilities in the driver.
CVE-2019-11190
Robert Święcki reported that when a setuid program was
executed it was still possible to read performance events while the
kernel set up the program's address space. A local user could use this
to defeat ASLR in a setuid program, making it easier to exploit other
vulnerabilities in the program. Debian's kernel configuration does not
allow unprivileged users to access peformance events by default, which
fully mitigates this issue.
CVE-2019-11486
Jann Horn of Google reported numerous race conditions in the Siemens
R3964 line discipline. A local user could use these to cause
unspecified security impact. This module has therefore been disabled.
CVE-2019-11599
Jann Horn of Google reported a race condition in the core dump
implementation which could lead to a use-after-free. A local user
could use this to read sensitive information, to cause a denial of
service (memory corruption), or for privilege escalation.
For Debian 8 'Jessie', these problems have been fixed in version
3.16.68-1. This version also includes a fix for Debian bug #927781,
and other fixes included in upstream stable updates.
We recommend that you upgrade your linux and linux-latest packages.
You will need to use 'apt-get upgrade --with-new-pkgs' or 'apt
upgrade' as the binary package names have changed.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/jessie/linux"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html"
);
script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9503");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.16");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.16");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.16");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/07");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/29");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.68-1")) flag++;
if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.68-1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | linux-compiler-gcc-4.8-arm | p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm |
| debian | debian_linux | linux-compiler-gcc-4.8-x86 | p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86 |
| debian | debian_linux | linux-compiler-gcc-4.9-x86 | p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86 |
| debian | debian_linux | linux-doc-3.16 | p-cpe:/a:debian:debian_linux:linux-doc-3.16 |
| debian | debian_linux | linux-headers-3.16.0-9-586 | p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586 |
| debian | debian_linux | linux-headers-3.16.0-9-686-pae | p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae |
| debian | debian_linux | linux-headers-3.16.0-9-all | p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all |
| debian | debian_linux | linux-headers-3.16.0-9-all-amd64 | p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64 |
| debian | debian_linux | linux-headers-3.16.0-9-all-armel | p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel |
| debian | debian_linux | linux-headers-3.16.0-9-all-armhf | p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5995
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11190
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11486
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11599
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2024
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3460
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3882
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3901
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6133
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9503
lists.debian.org/debian-lts-announce/2019/05/msg00042.html
packages.debian.org/source/jessie/linux
www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
Related
