7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.031 Low
EPSS
Percentile
91.1%
The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3752-2 advisory.
The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process’s final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper’s unmap_page_range() since the vma’s VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked). (CVE-2018-1000200)
Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don’t usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing chmod o+r+w /dev/sg*
to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)
The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image. (CVE-2018-10323)
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image. (CVE-2018-10840)
A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (CVE-2018-10881)
The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers. (CVE-2018-1093)
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel’s implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. (CVE-2018-1108)
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process’s memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120)
In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. (CVE-2018-11412)
The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call. (CVE-2018-11506)
In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat’s execution, leading to a NULL pointer dereference and system crash.
(CVE-2018-12232)
In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
(CVE-2018-12233)
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL. (CVE-2018-12904)
An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used. (CVE-2018-13406)
In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets. (CVE-2018-5814)
In driver_override_store and driver_override_show of bus.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69129004 References: Upstream kernel. (CVE-2018-9415)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3752-2. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(112110);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2018-1000200",
"CVE-2018-1000204",
"CVE-2018-10323",
"CVE-2018-10840",
"CVE-2018-10881",
"CVE-2018-1093",
"CVE-2018-1108",
"CVE-2018-1120",
"CVE-2018-11412",
"CVE-2018-11506",
"CVE-2018-12232",
"CVE-2018-12233",
"CVE-2018-12904",
"CVE-2018-13094",
"CVE-2018-13405",
"CVE-2018-13406",
"CVE-2018-5814",
"CVE-2018-9415"
);
script_xref(name:"USN", value:"3752-2");
script_name(english:"Ubuntu 16.04 LTS : Linux kernel (HWE) vulnerabilities (USN-3752-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3752-2 advisory.
- The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out
of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final
thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen
synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before
munlocking (to determine if any other vmas share the memory and are mlocked). (CVE-2018-1000200)
- Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with
dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel
heap pages to the userspace. This has been fixed upstream in
https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has
limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the
Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties
dispute the relevance of this report, noting that the requirement for an attacker to have both the
CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)
- The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3
allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted
xfs image. (CVE-2018-10323)
- Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry()
function. An attacker could exploit this by operating on a mounted crafted ext4 image. (CVE-2018-10840)
- A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in
ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a
crafted ext4 filesystem image. (CVE-2018-10881)
- The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows
attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image
because balloc.c and ialloc.c do not validate bitmap block numbers. (CVE-2018-1093)
- kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation
of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed
before it was sufficiently generated. (CVE-2018-1108)
- A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a
process's memory containing command line arguments (or environment strings), an attacker can cause
utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the
/proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some
controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120)
- In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy
with an untrusted length value in certain circumstances involving a crafted filesystem that stores the
system.data extended attribute value in a dedicated inode. (CVE-2018-11412)
- The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users
to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact
because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a
CDROMREADMODE2 ioctl call. (CVE-2018-11506)
- In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close
in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr
functions. fchownat does not increment the file descriptor reference count, which allows close to set the
socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash.
(CVE-2018-12232)
- In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in
JFS can be triggered by calling setxattr twice with two different extended attribute names on the same
file. This vulnerability can be triggered by an unprivileged user with the ability to create files and
execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
(CVE-2018-12233)
- In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local
attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of
service attacks due to lack of checking of CPL. (CVE-2018-12904)
- An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may
occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
- The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create
files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and
is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a
plain file whose group ownership is that group. The intended behavior was that the non-member can trigger
creation of a directory (but not a plain file) whose group ownership is that group. The non-member can
escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
- An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel
before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate
privileges because kmalloc_array is not used. (CVE-2018-13406)
- In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors
when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free
condition or a NULL pointer dereference by sending multiple USB over IP packets. (CVE-2018-5814)
- In driver_override_store and driver_override_show of bus.c, there is a possible double free due to
improper locking. This could lead to local escalation of privilege with System execution privileges
needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android
ID: A-69129004 References: Upstream kernel. (CVE-2018-9415)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3752-2");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13406");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-9415");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/02");
script_set_attribute(attribute:"patch_publication_date", value:"2018/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-lowlatency");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'16.04': {
'4.15.0': {
'generic': '4.15.0-33',
'generic-lpae': '4.15.0-33',
'lowlatency': '4.15.0-33'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3752-2');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2018-1093', 'CVE-2018-1108', 'CVE-2018-1120', 'CVE-2018-5814', 'CVE-2018-9415', 'CVE-2018-10323', 'CVE-2018-10840', 'CVE-2018-10881', 'CVE-2018-11412', 'CVE-2018-11506', 'CVE-2018-12232', 'CVE-2018-12233', 'CVE-2018-12904', 'CVE-2018-13094', 'CVE-2018-13405', 'CVE-2018-13406', 'CVE-2018-1000200', 'CVE-2018-1000204');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3752-2');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-4.15.0-33-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-generic |
canonical | ubuntu_linux | linux-image-4.15.0-33-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-generic-lpae |
canonical | ubuntu_linux | linux-image-4.15.0-33-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-lowlatency |
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000200
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000204
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10323
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10840
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10881
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1093
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1108
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1120
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11412
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11506
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12232
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12233
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12904
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13406
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5814
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9415
ubuntu.com/security/notices/USN-3752-2
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.031 Low
EPSS
Percentile
91.1%