9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
69.7%
The remote Ubuntu 23.04 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6283-1 advisory.
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. (CVE-2023-2002)
A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub- component. (CVE-2023-2269)
A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. (CVE-2023-3141)
A flaw was found in the Linux kernel’s ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. (CVE-2023-32248)
A flaw was found in the Linux kernel’s ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. (CVE-2023-32254)
An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. (CVE-2023-3268)
A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel.
This flaw, during device unbind will lead to double release problem leading to denial of service.
(CVE-2023-3312)
A use-after-free flaw was found in mt7921_check_offload_capability in drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel.
This flaw could allow an attacker to crash the system after ‘features’ memory release. This vulnerability could even lead to a kernel information leak problem. (CVE-2023-3317)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c. (CVE-2023-35823)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c. (CVE-2023-35826)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c. (CVE-2023-35828)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c. (CVE-2023-35829)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6283-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(179705);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2023-2002",
"CVE-2023-2269",
"CVE-2023-3141",
"CVE-2023-3268",
"CVE-2023-3312",
"CVE-2023-3317",
"CVE-2023-32248",
"CVE-2023-32254",
"CVE-2023-35823",
"CVE-2023-35824",
"CVE-2023-35826",
"CVE-2023-35828",
"CVE-2023-35829"
);
script_xref(name:"USN", value:"6283-1");
script_name(english:"Ubuntu 23.04 : Linux kernel vulnerabilities (USN-6283-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 23.04 host has a package installed that is affected by multiple vulnerabilities as referenced in the
USN-6283-1 advisory.
- A vulnerability was found in the HCI sockets implementation due to a missing capability check in
net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of
management commands, compromising the confidentiality, integrity, and availability of Bluetooth
communication. (CVE-2023-2002)
- A denial of service problem was found, due to a possible recursive locking scenario, resulting in a
deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-
component. (CVE-2023-2269)
- A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the
Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading
to a kernel information leak. (CVE-2023-3141)
- A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw
exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the
lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability
to create a denial-of-service condition on the system. (CVE-2023-32248)
- A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw
exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper
locking when performing operations on an object. An attacker can leverage this vulnerability to execute
code in the context of the kernel. (CVE-2023-32254)
- An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in
kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel
internal information. (CVE-2023-3268)
- A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel.
This flaw, during device unbind will lead to double release problem leading to denial of service.
(CVE-2023-3312)
- A use-after-free flaw was found in mt7921_check_offload_capability in
drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel.
This flaw could allow an attacker to crash the system after 'features' memory release. This vulnerability
could even lead to a kernel information leak problem. (CVE-2023-3317)
- An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in
drivers/media/pci/saa7134/saa7134-core.c. (CVE-2023-35823)
- An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in
drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824)
- An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in
drivers/staging/media/sunxi/cedrus/cedrus.c. (CVE-2023-35826)
- An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in
renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c. (CVE-2023-35828)
- An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in
drivers/staging/media/rkvdec/rkvdec.c. (CVE-2023-35829)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6283-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-32254");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/04/25");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.04");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1007-ibm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1009-aws");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1009-azure");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1009-oracle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1010-raspi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1011-gcp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-27-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-27-generic-64k");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-27-generic-lpae");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('23.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 23.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'23.04': {
'6.2.0': {
'generic': '6.2.0-27',
'generic-64k': '6.2.0-27',
'generic-lpae': '6.2.0-27',
'ibm': '6.2.0-1007',
'aws': '6.2.0-1009',
'azure': '6.2.0-1009',
'oracle': '6.2.0-1009',
'raspi': '6.2.0-1010',
'gcp': '6.2.0-1011'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6283-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2023-2002', 'CVE-2023-2269', 'CVE-2023-3141', 'CVE-2023-3268', 'CVE-2023-3312', 'CVE-2023-3317', 'CVE-2023-32248', 'CVE-2023-32254', 'CVE-2023-35823', 'CVE-2023-35824', 'CVE-2023-35826', 'CVE-2023-35828', 'CVE-2023-35829');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6283-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 23.04 | cpe:/o:canonical:ubuntu_linux:23.04 |
canonical | ubuntu_linux | linux-image-6.2.0-1007-ibm | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1007-ibm |
canonical | ubuntu_linux | linux-image-6.2.0-1009-aws | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1009-aws |
canonical | ubuntu_linux | linux-image-6.2.0-1009-azure | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1009-azure |
canonical | ubuntu_linux | linux-image-6.2.0-1009-oracle | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1009-oracle |
canonical | ubuntu_linux | linux-image-6.2.0-1010-raspi | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1010-raspi |
canonical | ubuntu_linux | linux-image-6.2.0-1011-gcp | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1011-gcp |
canonical | ubuntu_linux | linux-image-6.2.0-27-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-27-generic |
canonical | ubuntu_linux | linux-image-6.2.0-27-generic-64k | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-27-generic-64k |
canonical | ubuntu_linux | linux-image-6.2.0-27-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-27-generic-lpae |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2002
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3141
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32248
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32254
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3268
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3312
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3317
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35823
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35824
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35826
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35828
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35829
ubuntu.com/security/notices/USN-6283-1
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
69.7%