7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
67.9%
The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6701-4 advisory.
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. (CVE-2023-2002)
In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used. (CVE-2023-23000)
A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim’s hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible. (CVE-2023-3006)
An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated When modifying the block device while it is mounted by the filesystem access.
(CVE-2023-34256)
An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
(CVE-2023-39197)
A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4132)
Transmit requests in Xen’s virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are directly translated into what Linux calls SKB fragments. Such converted request parts can, when for a particular SKB they are all of length zero, lead to a de-reference of NULL in core networking code. (CVE-2023-46838)
An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use- after-free because of an atalk_recvmsg race condition. (CVE-2023-51781)
An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).
(CVE-2023-6121)
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free. (CVE-2024-0775)
A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. (CVE-2024-1086)
A race condition was found in the Linux kernel’s scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue. (CVE-2024-24855)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6701-4. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(193083);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/30");
script_cve_id(
"CVE-2023-2002",
"CVE-2023-3006",
"CVE-2023-4132",
"CVE-2023-6121",
"CVE-2023-23000",
"CVE-2023-34256",
"CVE-2023-39197",
"CVE-2023-46838",
"CVE-2023-51781",
"CVE-2024-0775",
"CVE-2024-1086",
"CVE-2024-24855"
);
script_xref(name:"USN", value:"6701-4");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/06/20");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Azure) vulnerabilities (USN-6701-4)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-6701-4 advisory.
- A vulnerability was found in the HCI sockets implementation due to a missing capability check in
net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of
management commands, compromising the confidentiality, integrity, and availability of Bluetooth
communication. (CVE-2023-2002)
- In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return
value. Callers expect NULL in the error case, but an error pointer is used. (CVE-2023-23000)
- A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes
actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code
uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted
branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted
branches can cause cache allocation. This issue leads to obtaining information that should not be
accessible. (CVE-2023-3006)
- An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in
lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an
offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against
attackers with the stated When modifying the block device while it is mounted by the filesystem access.
(CVE-2023-34256)
- An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux
kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
(CVE-2023-39197)
- A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs
during device initialization when the siano device is plugged in. This flaw allows a local user to crash
the system, causing a denial of service condition. (CVE-2023-4132)
- Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really
useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides
a certain initial portion of the to be transferred data, these parts are directly translated into what
Linux calls SKB fragments. Such converted request parts can, when for a particular SKB they are all of
length zero, lead to a de-reference of NULL in core networking code. (CVE-2023-46838)
- An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-
after-free because of an atalk_recvmsg race condition. (CVE-2023-51781)
- An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue
may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that
results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).
(CVE-2023-6121)
- A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This
flaw allows a local user to cause an information leak problem while freeing the old quota file names
before a potential failure, leading to a use-after-free. (CVE-2024-0775)
- A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error
within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when
NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit
f342de4e2f33e0e39165d8639387aa6c19dff660. (CVE-2024-1086)
- A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan()
function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or
denial of service issue. (CVE-2024-24855)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6701-4");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-39197");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-1086");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/01");
script_set_attribute(attribute:"patch_publication_date", value:"2024/04/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1175-azure");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'4.15.0': {
'azure': '4.15.0-1175'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6701-4');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2023-2002', 'CVE-2023-3006', 'CVE-2023-4132', 'CVE-2023-6121', 'CVE-2023-23000', 'CVE-2023-34256', 'CVE-2023-39197', 'CVE-2023-46838', 'CVE-2023-51781', 'CVE-2024-0775', 'CVE-2024-1086', 'CVE-2024-24855');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6701-4');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
canonical | ubuntu_linux | linux-image-4.15.0-1175-azure | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1175-azure |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2002
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23000
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3006
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34256
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39197
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4132
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46838
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51781
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6121
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0775
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1086
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24855
ubuntu.com/security/notices/USN-6701-4
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
67.9%