Amazon Linux AMI : kernel (ALAS-2017-828) - Nessus
High Plugin ID: 100106This page contains detailed information about the Amazon Linux AMI : kernel (ALAS-2017-828) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 100106
Name: Amazon Linux AMI : kernel (ALAS-2017-828)
Filename: ala_ALAS-2017-828.nasl
Vulnerability Published: N/A
This Plugin Published: 2017-05-11
Last Modification Time: 2019-04-10
Plugin Version: 3.7
Plugin Type: local
Plugin Family: Amazon Linux Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/AmazonLinux/release, Host/AmazonLinux/rpm-list, Host/local_checks_enabled
Vulnerability Information
Severity: High
Vulnerability Published: N/A
Patch Published: 2017-05-10
CVE [?]: CVE-2017-2671, CVE-2017-5967, CVE-2017-7187, CVE-2017-7308, CVE-2017-7616, CVE-2017-7618
CPE [?]: cpe:/o:amazon:linux, p-cpe:/a:amazon:linux:kernel, p-cpe:/a:amazon:linux:kernel-debuginfo, p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686, p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64, p-cpe:/a:amazon:linux:kernel-devel, p-cpe:/a:amazon:linux:kernel-doc, p-cpe:/a:amazon:linux:kernel-headers, p-cpe:/a:amazon:linux:kernel-tools, p-cpe:/a:amazon:linux:kernel-tools-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-devel, p-cpe:/a:amazon:linux:perf, p-cpe:/a:amazon:linux:perf-debuginfo
Exploited by Malware: True
Synopsis
The remote Amazon Linux AMI host is missing a security update.
Description
Infinite recursion in ahash.c by triggering EBUSY on a full queue :
A vulnerability was found in crypto/ahash.c in the Linux kernel which allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.(CVE-2017-7618)
Time subsystem allows local users to discover real PID values :
The time subsystem in the Linux kernel, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.(CVE-2017-5967)
Stack-based buffer overflow in sg_ioctl function :
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. (CVE-2017-7187)
Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c :
Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in mm/mempolicy.c; in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (CVE-2017-7616)
Race condition in Link Layer Control :
A race condition leading to a NULL pointer dereference was found in the Linux kernel's Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system. (CVE-2017-2671)
Overflow in check for priv area size :
It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-7308)
Solution
Run 'yum update kernel' to update your system.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Amazon Linux AMI : kernel (ALAS-2017-828) vulnerability:
- Metasploit: exploit/linux/local/af_packet_packet_set_ring_priv_esc
[AF_PACKET packet_set_ring Privilege Escalation] - Exploit-DB: exploits/linux/local/41994.c
[EDB-41994: Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation] - Exploit-DB: exploits/linux/local/44654.rb
[EDB-44654: Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)] - Exploit-DB: exploits/linux/local/47168.c
[EDB-47168: Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation] - GitHub: https://github.com/homjxi0e/CVE-2017-2671
[CVE-2017-2671] - GitHub: https://github.com/Al1ex/LinuxEelvation
[CVE-2017-7308] - GitHub: https://github.com/CKmaenn/kernel-exploits
[CVE-2017-7308] - GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
[CVE-2017-7308] - GitHub: https://github.com/Metarget/metarget
[CVE-2017-7308] - GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
[CVE-2017-7308] - GitHub: https://github.com/R0B1NL1N/Linux-Kernel-Exploites
[CVE-2017-7308] - GitHub: https://github.com/RLee063/RLee063
[CVE-2017-7308] - GitHub: https://github.com/Snoopy-Sec/Localroot-ALL-CVE
[CVE-2017-7308] - GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
[CVE-2017-7308] - GitHub: https://github.com/amrelsadane123/Ecploit-kernel-4.10-linux-local
[CVE-2017-7308] - GitHub: https://github.com/anoaghost/Localroot_Compile
[CVE-2017-7308] - GitHub: https://github.com/bcoles/kernel-exploits
[CVE-2017-7308] - GitHub: https://github.com/bitdefender/vbh_sample
[CVE-2017-7308] - GitHub: https://github.com/bsauce/kernel-exploit-factory
[CVE-2017-7308] - GitHub: https://github.com/bsauce/kernel-security-learning
[CVE-2017-7308] - GitHub: https://github.com/ferovap/Tools
[CVE-2017-7308] - GitHub: https://github.com/h4x0r-dz/local-root-exploit-
[CVE-2017-7308] - GitHub: https://github.com/jiayy/android_vuln_poc-exp
[CVE-2017-7308] - GitHub: https://github.com/n3t1nv4d3/kernel-exploits
[CVE-2017-7308] - GitHub: https://github.com/qiantu88/Linux--exp
[CVE-2017-7308] - GitHub: https://github.com/rakjong/LinuxElevation
[CVE-2017-7308] - GitHub: https://github.com/skbasava/Linux-Kernel-exploit
[CVE-2017-7308] - GitHub: https://github.com/spencerdodd/kernelpop
[CVE-2017-7308] - GitHub: https://github.com/xairy/kernel-exploits
[CVE-2017-7308] - GitHub: https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
[CVE-2017-7308] - GitHub: https://github.com/xairy/linux-kernel-exploitation
[CVE-2017-7308] - GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
[CVE-2017-7616] - GitHub: https://github.com/skbasava/Linux-Kernel-exploit
[CVE-2017-7616] - GitHub: https://github.com/xairy/linux-kernel-exploitation
[CVE-2017-7616]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
| CVSS Base Score: | 7.8 (High) |
| Impact Subscore: | 6.9 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 6.8 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 6.8 (Medium) |
| CVSS Base Score: | 7.8 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 1.8 |
| CVSS Temporal Score: | 7.5 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 7.5 (High) |
Go back to menu.
Plugin Source
This is the ala_ALAS-2017-828.nasl nessus plugin source code. This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2017-828.
#
include("compat.inc");
if (description)
{
script_id(100106);
script_version("3.7");
script_cvs_date("Date: 2019/04/10 16:10:16");
script_cve_id("CVE-2017-2671", "CVE-2017-5967", "CVE-2017-7187", "CVE-2017-7308", "CVE-2017-7616", "CVE-2017-7618");
script_xref(name:"ALAS", value:"2017-828");
script_name(english:"Amazon Linux AMI : kernel (ALAS-2017-828)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Amazon Linux AMI host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Infinite recursion in ahash.c by triggering EBUSY on a full queue :
A vulnerability was found in crypto/ahash.c in the Linux kernel which
allows attackers to cause a denial of service (API operation calling
its own callback, and infinite recursion) by triggering EBUSY on a
full queue.(CVE-2017-7618)
Time subsystem allows local users to discover real PID values :
The time subsystem in the Linux kernel, when CONFIG_TIMER_STATS is
enabled, allows local users to discover real PID values (as
distinguished from PID values inside a PID namespace) by reading the
/proc/timer_list file, related to the print_timer function in
kernel/time/timer_list.c and the __timer_stats_timer_set_start_info
function in kernel/time/timer.c.(CVE-2017-5967)
Stack-based buffer overflow in sg_ioctl function :
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows
local users to cause a denial of service (stack-based buffer overflow)
or possibly have unspecified other impacts via a large command size in
an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access
in the sg_write function. (CVE-2017-7187)
Incorrect error handling in the set_mempolicy and mbind compat
syscalls in mm/mempolicy.c :
Incorrect error handling in the set_mempolicy() and mbind() compat
syscalls in mm/mempolicy.c; in the Linux kernel allows local users to
obtain sensitive information from uninitialized stack data by
triggering failure of a certain bitmap operation. (CVE-2017-7616)
Race condition in Link Layer Control :
A race condition leading to a NULL pointer dereference was found in
the Linux kernel's Link Layer Control implementation. A local attacker
with access to ping sockets could use this flaw to crash the system.
(CVE-2017-2671)
Overflow in check for priv area size :
It was found that the packet_set_ring() function of the Linux kernel's
networking implementation did not properly validate certain block-size
data. A local attacker with CAP_NET_RAW capability could use this flaw
to trigger a buffer overflow, resulting in the crash of the system.
Due to the nature of the flaw, privilege escalation cannot be fully
ruled out, although we believe it is unlikely. (CVE-2017-7308)"
);
script_set_attribute(
attribute:"see_also",
value:"https://alas.aws.amazon.com/ALAS-2017-828.html"
);
script_set_attribute(
attribute:"solution",
value:"Run 'yum update kernel' to update your system."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET packet_set_ring Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
script_set_attribute(attribute:"patch_publication_date", value:"2017/05/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/11");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Amazon Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (rpm_check(release:"ALA", reference:"kernel-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-debuginfo-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", cpu:"i686", reference:"kernel-debuginfo-common-i686-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-devel-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-doc-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-headers-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-tools-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-tools-debuginfo-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-tools-devel-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"perf-4.9.27-14.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"perf-debuginfo-4.9.27-14.31.amzn1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc");
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/ala_ALAS-2017-828.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\ala_ALAS-2017-828.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/ala_ALAS-2017-828.nasl
Go back to menu.
How to Run
Here is how to run the Amazon Linux AMI : kernel (ALAS-2017-828) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Amazon Linux Local Security Checks plugin family.
- On the right side table select Amazon Linux AMI : kernel (ALAS-2017-828) plugin ID 100106.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl ala_ALAS-2017-828.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a ala_ALAS-2017-828.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - ala_ALAS-2017-828.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state ala_ALAS-2017-828.nasl -t <IP/HOST>Go back to menu.
References
ALAS | Amazon Linux Security Advisory: See also:
- https://www.tenable.com/plugins/nessus/100106
- https://alas.aws.amazon.com/ALAS-2017-828.html
- https://vulners.com/nessus/ALA_ALAS-2017-828.NASL
- 100023 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)
- 100044 - openSUSE Security Update : the Linux Kernel (openSUSE-2017-562)
- 100150 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1247-1)
- 100206 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1278-1)
- 100207 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1281-1)
- 100209 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1285-1)
- 100210 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1287-1)
- 100211 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1291-1)
- 100212 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1299-1)
- 100213 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1300-1)
- 100214 - SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1301-1)
- 100215 - SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1302-1)
- 100234 - Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3566)
- 100235 - Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)
- 100237 - OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0105)
- 100238 - OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)
- 100252 - Ubuntu 16.04 LTS : linux vulnerabilities (USN-3291-1)
- 100255 - Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3293-1)
- 100266 - Ubuntu 16.04 LTS : linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3291-2)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file ala_ALAS-2017-828.nasl version 3.7. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
