7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
34.2%
The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6185-1 advisory.
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. (CVE-2023-1076)
In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. (CVE-2023-1077)
A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
(CVE-2023-1079)
A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
(CVE-2023-1670)
A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. (CVE-2023-1859)
The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. (CVE-2023-1998)
The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. (CVE-2023-25012)
A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. (CVE-2023-2985)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6185-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(178660);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2023-1076",
"CVE-2023-1077",
"CVE-2023-1079",
"CVE-2023-1670",
"CVE-2023-1859",
"CVE-2023-1998",
"CVE-2023-2985",
"CVE-2023-25012"
);
script_xref(name:"USN", value:"6185-1");
script_name(english:"Ubuntu 20.04 LTS : Linux kernel vulnerabilities (USN-6185-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-6185-1 advisory.
- A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a
type confusion in their initialization function. While it will be often correct, as tuntap devices require
CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This
would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing
network filters. (CVE-2023-1076)
- In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON
condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a
type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing
memory corruption. (CVE-2023-1077)
- A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when
plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to
the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED
controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led
structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
(CVE-2023-1079)
- A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local
user could use this flaw to crash the system or potentially escalate their privileges on the system.
(CVE-2023-1670)
- A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs
in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem,
possibly leading to a kernel information leak. (CVE-2023-1859)
- The Linux kernel allows userspace processes to enable mitigations by calling prctl with
PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed
that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to
attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be
observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened
because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that
STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons,
which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target
injection against which STIBP protects. (CVE-2023-1998)
- The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a
crafted USB device because the LED controllers remain registered for too long. (CVE-2023-25012)
- A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw
could allow a local user to cause a denial of service problem. (CVE-2023-2985)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6185-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-1079");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-1670");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/02");
script_set_attribute(attribute:"patch_publication_date", value:"2023/06/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-ibm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1065-bluefield");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1071-gkeop");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1088-raspi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1093-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1102-gke");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1103-oracle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1104-aws");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1107-gcp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1110-azure");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'20.04': {
'5.4.0': {
'ibm': '5.4.0-1051',
'bluefield': '5.4.0-1065',
'gkeop': '5.4.0-1071',
'raspi': '5.4.0-1088',
'kvm': '5.4.0-1093',
'gke': '5.4.0-1102',
'oracle': '5.4.0-1103',
'aws': '5.4.0-1104',
'gcp': '5.4.0-1107',
'azure': '5.4.0-1110'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6185-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2023-1076', 'CVE-2023-1077', 'CVE-2023-1079', 'CVE-2023-1670', 'CVE-2023-1859', 'CVE-2023-1998', 'CVE-2023-2985', 'CVE-2023-25012');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6185-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 20.04 | cpe:/o:canonical:ubuntu_linux:20.04:-:lts |
canonical | ubuntu_linux | linux-image-5.4.0-1051-ibm | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-ibm |
canonical | ubuntu_linux | linux-image-5.4.0-1065-bluefield | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1065-bluefield |
canonical | ubuntu_linux | linux-image-5.4.0-1071-gkeop | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1071-gkeop |
canonical | ubuntu_linux | linux-image-5.4.0-1088-raspi | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1088-raspi |
canonical | ubuntu_linux | linux-image-5.4.0-1093-kvm | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1093-kvm |
canonical | ubuntu_linux | linux-image-5.4.0-1102-gke | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1102-gke |
canonical | ubuntu_linux | linux-image-5.4.0-1103-oracle | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1103-oracle |
canonical | ubuntu_linux | linux-image-5.4.0-1104-aws | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1104-aws |
canonical | ubuntu_linux | linux-image-5.4.0-1107-gcp | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1107-gcp |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1076
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1077
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1079
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1670
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1859
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1998
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25012
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2985
ubuntu.com/security/notices/USN-6185-1
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
34.2%