Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) - Nessus

High Plugin ID: 108842

This page contains detailed information about the Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents

hide

Plugin Overview
Vulnerability Information

Synopsis
Description
Solution

Public Exploits
Risk Information
Plugin Source
How to Run
References
Version

Plugin Overview

ID: 108842
Name: Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)
Filename: ubuntu_USN-3619-1.nasl
Vulnerability Published: 2017-07-20
This Plugin Published: 2018-04-05
Last Modification Time: 2019-09-18
Plugin Version: 1.11
Plugin Type: local
Plugin Family: Ubuntu Local Security Checks
Dependencies: linux_alt_patch_detect.nasl, ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release

Vulnerability Information

Synopsis

The remote Ubuntu host is missing one or more security-related patches.

Description

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995)

It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472)

It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129)

It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914)

It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994)

It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448)

It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741)

It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805)

It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806)

It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

It was discovered that the parallel cryptography component of the Linux kernel incorrectly freed kernel memory. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18075)

It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm. (CVE-2017-7518)

It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026)

It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332)

Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333)

Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344)

It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927)

It was discovered that a NULL pointer dereference existed in the RDS (Reliable Datagram Sockets) protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7492)

It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected packages.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) vulnerability:

Metasploit: exploit/linux/local/bpf_sign_extension_priv_esc
[Linux BPF Sign Extension Local Privilege Escalation]
Metasploit: exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc
[Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation]
Exploit-DB: exploits/linux/local/45010.c
[EDB-45010: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation]
Exploit-DB: exploits/linux/local/45058.rb
[EDB-45058: Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)]
Exploit-DB: exploits/linux/local/47957.rb
[EDB-47957: Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)]
GitHub: https://github.com/wiseeyesent/cves
[CVE-2017-0861]
GitHub: https://github.com/AfvanMoopen/tryhackme-
[CVE-2017-16995]
GitHub: https://github.com/Al1ex/LinuxEelvation
[CVE-2017-16995]
GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
[CVE-2017-16995]
GitHub: https://github.com/Dk0n9/linux_exploit
[CVE-2017-16995]
GitHub: https://github.com/Getshell/LinuxTQ
[CVE-2017-16995]
GitHub: https://github.com/Jean-Francois-C/Boot2root-CTFs-Writeups
[CVE-2017-16995]
GitHub: https://github.com/Lumindu/CVE-2017-16995-Linux-Kernel---BPF-Sign-Extension-Local-Privilege-Escalation-
[CVE-2017-16995]
GitHub: https://github.com/Metarget/metarget
[CVE-2017-16995]
GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
[CVE-2017-16995]
GitHub: https://github.com/SexyBeast233/SecBooks
[CVE-2017-16995]
GitHub: https://github.com/Snoopy-Sec/Localroot-ALL-CVE
[CVE-2017-16995]
GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
[CVE-2017-16995]
GitHub: https://github.com/WireFisher/LearningFromCVE
[CVE-2017-16995]
GitHub: https://github.com/anoaghost/Localroot_Compile
[CVE-2017-16995]
GitHub: https://github.com/bsauce/kernel-exploit-factory
[CVE-2017-16995]
GitHub: https://github.com/bsauce/kernel-security-learning
[CVE-2017-16995]
GitHub: https://github.com/catsecorg/CatSec-TryHackMe-WriteUps
[CVE-2017-16995]
GitHub: https://github.com/dangokyo/CVE_2017_16995
[CVE-2017-16995]
GitHub: https://github.com/fengjixuchui/RedTeamer
[CVE-2017-16995]
GitHub: https://github.com/gugronnier/CVE-2017-16995
[CVE-2017-16995: Exploit adapted for a specific PoC on Ubuntu 16.04.01]
GitHub: https://github.com/holmes-py/King-of-the-hill
[CVE-2017-16995]
GitHub: https://github.com/integeruser/on-pwning
[CVE-2017-16995]
GitHub: https://github.com/jas502n/Ubuntu-0day
[CVE-2017-16995]
GitHub: https://github.com/likescam/Ubuntu-0day-2017
[CVE-2017-16995]
GitHub: https://github.com/littlebin404/CVE-2017-16995
[CVE-2017-16995: CVE-2017-16995 ubuntun本地提权 POC]
GitHub: https://github.com/mzet-/linux-exploit-suggester
[CVE-2017-16995]
GitHub: https://github.com/ph4ntonn/CVE-2017-16995
[CVE-2017-16995: 👻CVE-2017-16995]
GitHub: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-16995.md
[CVE-2017-16995]
GitHub: https://github.com/qiantu88/Linux--exp
[CVE-2017-16995]
GitHub: https://github.com/rakjong/LinuxElevation
[CVE-2017-16995]
GitHub: https://github.com/ret2p4nda/kernel-pwn
[CVE-2017-16995]
GitHub: https://github.com/rootclay/Ubuntu-16.04-0Day
[CVE-2017-16995]
GitHub: https://github.com/senyuuri/cve-2017-16995
[CVE-2017-16995: Writeup for CVE-2017-16995 Linux BPF Local Privilege Escalation]
GitHub: https://github.com/thelostvoice/global-takeover
[CVE-2017-16995]
GitHub: https://github.com/thelostvoice/inept-us-military
[CVE-2017-16995]
GitHub: https://github.com/vnik5287/CVE-2017-16995
[CVE-2017-16995: CVE-2017-16995 eBPF PoC for Ubuntu 16.04]
GitHub: https://github.com/xairy/linux-kernel-exploitation
[CVE-2017-16995]
GitHub: https://github.com/Al1ex/LinuxEelvation
[CVE-2018-5333]
GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
[CVE-2018-5333]
GitHub: https://github.com/bcoles/kernel-exploits
[CVE-2018-5333]
GitHub: https://github.com/bsauce/kernel-exploit-factory
[CVE-2018-5333]
GitHub: https://github.com/bsauce/kernel-security-learning
[CVE-2018-5333]
GitHub: https://github.com/n3t1nv4d3/kernel-exploits
[CVE-2018-5333]
GitHub: https://github.com/Al1ex/CVE-2017-16995
[CVE-2017-16995: CVE-2017-16995（Ubuntu本地提权漏洞）]
GitHub: https://github.com/C0dak/CVE-2017-16995
[CVE-2017-16995: Linux Kernel Version 4.14 - 4.4 (Ubuntu && Debian)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	7.2 (High)
Impact Subscore:	10.0
Exploitability Subscore:	3.9
CVSS Temporal Score:	6.3 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.3 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.8
CVSS Temporal Score:	7.5 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.5 (High)

Go back to menu.

Plugin Source

This is the ubuntu_USN-3619-1.nasl nessus plugin source code. Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3619-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(108842);
  script_version("1.11");
  script_cvs_date("Date: 2019/09/18 12:31:48");

  script_cve_id("CVE-2017-0861", "CVE-2017-1000407", "CVE-2017-11472", "CVE-2017-15129", "CVE-2017-16528", "CVE-2017-16532", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16645", "CVE-2017-16646", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-16994", "CVE-2017-16995", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-17862", "CVE-2017-18075", "CVE-2017-18203", "CVE-2017-18204", "CVE-2017-18208", "CVE-2017-7518", "CVE-2018-1000026", "CVE-2018-5332", "CVE-2018-5333", "CVE-2018-5344", "CVE-2018-6927", "CVE-2018-7492", "CVE-2018-8043");
  script_xref(name:"USN", value:"3619-1");

  script_name(english:"Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Jann Horn discovered that the Berkeley Packet Filter (BPF)
implementation in the Linux kernel improperly performed sign extension
in some situations. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel
allowed passthrough of the diagnostic I/O port 0x80. An attacker in a
guest VM could use this to cause a denial of service (system crash) in
the host OS. (CVE-2017-1000407)

It was discovered that an information disclosure vulnerability existed
in the ACPI implementation of the Linux kernel. A local attacker could
use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-15129)

It was discovered that the Advanced Linux Sound Architecture (ALSA)
subsystem in the Linux kernel contained a use-after-free when handling
device removal. A physically proximate attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16528)

Andrey Konovalov discovered that the usbtest device driver in the
Linux kernel did not properly validate endpoint metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2017-16532)

Andrey Konovalov discovered that the Conexant cx231xx USB video
capture driver in the Linux kernel did not properly validate interface
descriptors. A physically proximate attacker could use this to cause a
denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the
Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2017-16537)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB
driver in the Linux kernel did not properly validate device
descriptors. A physically proximate attacker could use this to cause a
denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in
the Linux kernel did not properly handle detach events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2017-16646)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not
properly validate device descriptors. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16649)

Andrey Konovalov discovered that the QMI WWAN USB driver did not
properly validate device descriptors. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface
(VHCI) driver in the Linux kernel contained an information disclosure
vulnerability. A physically proximate attacker could use this to
expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux
kernel did not validate endpoint numbers. A remote attacker could use
this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux
kernel did not properly validate CMD_SUBMIT packets. A remote attacker
could use this to cause a denial of service (excessive memory
consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux
kernel contained a NULL pointer dereference error. A remote attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the HugeTLB component of the Linux kernel did
not properly handle holes in hugetlb ranges. A local attacker could
use this to expose sensitive information (kernel memory).
(CVE-2017-16994)

It was discovered that the netfilter component of the Linux did not
properly restrict access to the connection tracking helpers list. A
local attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)

It was discovered that the netlink subsystem in the Linux kernel did
not properly restrict observations of netlink messages to the
appropriate net namespace. A local attacker could use this to expose
sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that the netfilter passive OS fingerprinting
(xt_osf) module did not properly perform access control checks. A
local attacker could improperly modify the system-wide OS fingerprint
list. (CVE-2017-17450)

It was discovered that the core USB subsystem in the Linux kernel did
not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-17558)

Dmitry Vyukov discovered that the KVM implementation in the Linux
kernel contained an out-of-bounds read when handling memory-mapped
I/O. A local attacker could use this to expose sensitive information.
(CVE-2017-17741)

It was discovered that the Salsa20 encryption algorithm
implementations in the Linux kernel did not properly handle
zero-length inputs. A local attacker could use this to cause a denial
of service (system crash). (CVE-2017-17805)

It was discovered that the HMAC implementation did not validate the
state of the underlying cryptographic hash algorithm. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-17806)

It was discovered that the keyring implementation in the Linux kernel
did not properly check permissions when a key request was performed on
a task's' default keyring. A local attacker could use this to add keys
to unauthorized keyrings. (CVE-2017-17807)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF)
implementation in the Linux kernel contained a branch-pruning logic
issue around unreachable code. A local attacker could use this to
cause a denial of service. (CVE-2017-17862)

It was discovered that the parallel cryptography component of the
Linux kernel incorrectly freed kernel memory. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-18075)

It was discovered that a race condition existed in the Device Mapper
component of the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file
system implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the the
madvise(2) implementation in the Linux kernel in certain
circumstances. A local attacker could use this to cause a denial of
service (system hang). (CVE-2017-18208)

Andy Lutomirski discovered that the KVM implementation in the Linux
kernel was vulnerable to a debug exception error when single-stepping
through a syscall. A local attacker in a non-Linux guest vm could
possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

It was discovered that the Broadcom NetXtremeII ethernet driver in the
Linux kernel did not properly validate Generic Segment Offload (GSO)
packet sizes. An attacker could use this to cause a denial of service
(interface unavailability). (CVE-2018-1000026)

It was discovered that the Reliable Datagram Socket (RDS)
implementation in the Linux kernel contained an out-of-bounds write
during RDMA page allocation. An attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-5332)

Mohamed Ghannam discovered a NULL pointer dereference in the RDS
(Reliable Datagram Sockets) protocol implementation of the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash). (CVE-2018-5333)

Fan Long Fei  discovered that a race condition existed in loop block
device implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2018-5344)

It was discovered that an integer overflow error existed in the futex
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2018-6927)

It was discovered that a NULL pointer dereference existed in the RDS
(Reliable Datagram Sockets) protocol implementation in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash). (CVE-2018-7492)

It was discovered that the Broadcom UniMAC MDIO bus controller driver
in the Linux kernel did not properly validate device resources. A
local attacker could use this to cause a denial of service (system
crash). (CVE-2018-8043).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3619-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux BPF Sign Extension Local Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2017-0861", "CVE-2017-1000407", "CVE-2017-11472", "CVE-2017-15129", "CVE-2017-16528", "CVE-2017-16532", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16645", "CVE-2017-16646", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-16994", "CVE-2017-16995", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-17862", "CVE-2017-18075", "CVE-2017-18203", "CVE-2017-18204", "CVE-2017-18208", "CVE-2017-7518", "CVE-2018-1000026", "CVE-2018-5332", "CVE-2018-5333", "CVE-2018-5344", "CVE-2018-6927", "CVE-2018-7492", "CVE-2018-8043");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3619-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1020-kvm", pkgver:"4.4.0-1020.25")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1054-aws", pkgver:"4.4.0-1054.63")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1086-raspi2", pkgver:"4.4.0-1086.94")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1088-snapdragon", pkgver:"4.4.0-1088.93")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-119-generic", pkgver:"4.4.0-119.143")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-119-generic-lpae", pkgver:"4.4.0-119.143")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-119-lowlatency", pkgver:"4.4.0-119.143")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1054.56")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic", pkgver:"4.4.0.119.125")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae", pkgver:"4.4.0.119.125")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-kvm", pkgver:"4.4.0.1020.19")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency", pkgver:"4.4.0.119.125")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-raspi2", pkgver:"4.4.0.1086.86")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-snapdragon", pkgver:"4.4.0.1088.80")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
}

The latest version of this script can be found in these locations depending on your platform:

Linux / Unix:
/opt/nessus/lib/nessus/plugins/ubuntu_USN-3619-1.nasl
Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\ubuntu_USN-3619-1.nasl
Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/ubuntu_USN-3619-1.nasl

Go back to menu.

How to Run

Here is how to run the Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

Click to start a New Scan.
Select Advanced Scan.
Navigate to the Plugins tab.
On the top right corner click to Disable All plugins.
On the left side table select Ubuntu Local Security Checks plugin family.
On the right side table select Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) plugin ID 108842.
Specify the target on the Settings tab and click to Save the scan.
Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl ubuntu_USN-3619-1.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a ubuntu_USN-3619-1.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - ubuntu_USN-3619-1.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state ubuntu_USN-3619-1.nasl -t <IP/HOST>

Go back to menu.

References

USN | Ubuntu Security Notice:

3619-1

See also:

Similar and related Nessus plugins:

106672 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:0383-1) (Spectre)
106706 - OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0017) (Meltdown)
106740 - openSUSE Security Update : the Linux Kernel (openSUSE-2018-153) (Spectre)
106748 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:0416-1) (Spectre)
106815 - SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0437-1) (Spectre)
106933 - Amazon Linux AMI : kernel (ALAS-2018-956) (Dirty COW) (Spectre)
106967 - SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0525-1) (Spectre)
107003 - Ubuntu 14.04 LTS : linux vulnerabilities (USN-3583-1) (Meltdown)
107055 - SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0555-1) (Meltdown) (Spectre)
108279 - SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0660-1) (Spectre)
108322 - RHEL 6 : MRG (RHSA-2018:0470)
108596 - Virtuozzo 6 : parallels-server-bm-release / etc (VZA-2018-017)
108705 - SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0834-1)
108748 - SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0848-1)
108834 - Ubuntu 17.10 : linux vulnerabilities (USN-3617-1)
108835 - Ubuntu 16.04 LTS : linux-hwe, linux-gcp, linux-oem vulnerabilities (USN-3617-2)
108840 - Ubuntu 17.10 : linux-raspi2 vulnerabilities (USN-3617-3)
108878 - Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2)
108942 - RHEL 7 : kernel-alt (RHSA-2018:0654)
108984 - RHEL 7 : kernel-rt (RHSA-2018:0676)
108997 - RHEL 7 : kernel (RHSA-2018:1062)
109103 - openSUSE Security Update : the Linux Kernel (openSUSE-2018-377)
109113 - Oracle Linux 7 : kernel (ELSA-2018-1062)
109116 - RHEL 7 : kernel (RHSA-2018:1130)
109127 - Amazon Linux 2 : kernel (ALAS-2018-956) (Dirty COW) (Spectre)
109156 - Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071)
109158 - OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)
109310 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:1048-1)
109316 - Ubuntu 16.04 LTS : Linux kernel (Azure) vulnerabilities (USN-3632-1)
109317 - Ubuntu 16.04 LTS : Linux kernel (Intel Euclid) vulnerability (USN-3633-1)
109335 - RHEL 6 : MRG (RHSA-2018:1170)
109360 - SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1080-1) (Spectre)
109380 - CentOS 7 : kernel (CESA-2018:1062)
109386 - Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4084)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file ubuntu_USN-3619-1.nasl version 1.11. For more plugins, visit the Nessus Plugin Library.

Go back to menu.

Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) - Nessus

Plugin Overview

Vulnerability Information

Synopsis

Description

Solution

Public Exploits

Risk Information

Plugin Source

How to Run

References

Version

Nessus Plugin Library

Solving Problems with Office 365 Email from GoDaddy

Empire Module Library

CrackMapExec Module Library

Metasploit Android Modules

Top 16 Active Directory Vulnerabilities

Top 10 Vulnerabilities: Internal Infrastructure Pentest

Terminal Escape Injection

Cisco Password Cracking and Decrypting Guide

Capture Passwords using Wireshark

SSH Brute Force Attack Tool using PuTTY / Plink (ssh-putty-brute.ps1)

SMB Brute Force Attack Tool in PowerShell (SMBLogin.ps1)

Port Scanner in PowerShell (TCP/UDP)

Nessus CSV Parser and Extractor

Default Password Scanner (default-http-login-hunter.sh)