9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
8.5 High
AI Score
Confidence
High
0.013 Low
EPSS
Percentile
85.9%
The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6416-2 advisory.
A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. (CVE-2023-1206)
A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. (CVE-2023-20569)
A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol.
This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. (CVE-2023-2156)
A null pointer dereference flaw was found in the Linux kernel’s DECnet networking protocol. This issue could allow a remote user to crash the system. (CVE-2023-3338)
An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. (CVE-2023-38432)
A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a kernel information leak issue.
(CVE-2023-3863)
A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4132)
A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the VMGEXIT
handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (CONFIG_VMAP_STACK
). (CVE-2023-4155)
A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and that turns out to not be accurate. (CVE-2023-4194)
A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. (CVE-2023-4273)
An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.
(CVE-2023-44466)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6416-2. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(182691);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2023-1206",
"CVE-2023-2156",
"CVE-2023-3338",
"CVE-2023-3863",
"CVE-2023-3865",
"CVE-2023-3866",
"CVE-2023-4132",
"CVE-2023-4155",
"CVE-2023-4194",
"CVE-2023-4273",
"CVE-2023-20569",
"CVE-2023-38432",
"CVE-2023-44466"
);
script_xref(name:"USN", value:"6416-2");
script_name(english:"Ubuntu 20.04 LTS : Linux kernel vulnerabilities (USN-6416-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-6416-2 advisory.
- A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6
functionality when a user makes a new kind of SYN flood attack. A user located in the local network or
with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up
to 95%. (CVE-2023-1206)
- A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address
prediction. This may result in speculative execution at an attacker-controlled address, potentially
leading to information disclosure. (CVE-2023-20569)
- A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol.
This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion
failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the
system. (CVE-2023-2156)
- A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue
could allow a remote user to crash the system. (CVE-2023-3338)
- An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not
validate the relationship between the command payload size and the RFC1002 length specification, leading
to an out-of-bounds read. (CVE-2023-38432)
- A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a kernel information leak issue.
(CVE-2023-3863)
- A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs
during device initialization when the siano device is plugged in. This flaw allows a local user to crash
the system, causing a denial of service condition. (CVE-2023-4132)
- A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using
SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke
the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can
trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel
configurations without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)
- A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to
bypass network filters and gain unauthorized access to some resources. The original patches fixing
CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -
a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and
that turns out to not be accurate. (CVE-2023-4194)
- A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation
of the file name reconstruction function, which is responsible for reading file name entries from a
directory index and merging file name parts belonging to one file into a single long file name. Since the
file name characters are copied into a stack variable, a local privileged attacker could use this flaw to
overflow the kernel stack. (CVE-2023-4273)
- An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer
signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH
frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.
(CVE-2023-44466)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6416-2");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-38432");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/09");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1045-oracle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-86-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-86-generic-64k");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-86-generic-lpae");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'20.04': {
'5.15.0': {
'generic': '5.15.0-86',
'generic-64k': '5.15.0-86',
'generic-lpae': '5.15.0-86',
'oracle': '5.15.0-1045'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6416-2');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2023-1206', 'CVE-2023-2156', 'CVE-2023-3338', 'CVE-2023-3863', 'CVE-2023-3865', 'CVE-2023-3866', 'CVE-2023-4132', 'CVE-2023-4155', 'CVE-2023-4194', 'CVE-2023-4273', 'CVE-2023-20569', 'CVE-2023-38432', 'CVE-2023-44466');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6416-2');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-5.15.0-86-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-86-generic |
canonical | ubuntu_linux | linux-image-5.15.0-86-generic-64k | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-86-generic-64k |
canonical | ubuntu_linux | linux-image-5.15.0-86-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-86-generic-lpae |
canonical | ubuntu_linux | 20.04 | cpe:/o:canonical:ubuntu_linux:20.04:-:lts |
canonical | ubuntu_linux | linux-image-5.15.0-1045-oracle | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1045-oracle |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2156
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3338
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38432
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3863
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3865
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3866
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4132
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4194
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4273
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44466
ubuntu.com/security/notices/USN-6416-2
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
8.5 High
AI Score
Confidence
High
0.013 Low
EPSS
Percentile
85.9%