Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4657-1)

high Nessus Plugin ID 143433
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4657-1 advisory.

- In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427)

- IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
(CVE-2020-4788)

- Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. (CVE-2020-10135)

- Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access. (CVE-2020-12352)

- A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of- bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)

- In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
(CVE-2020-25211)

- The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

- A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643)

- A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-25645)

- A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
Kernel versions before 5.10 may be vulnerable to this issue. (CVE-2020-25705)

- A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://ubuntu.com/security/notices/USN-4657-1

Plugin Details

Severity: High

ID: 143433

File Name: ubuntu_USN-4657-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 12/2/2020

Updated: 12/3/2020

Dependencies: ssh_get_info.nasl, linux_alt_patch_detect.nasl

Risk Information

CVSS Score Source: CVE-2020-25643

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:16.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1082-aws, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1084-kvm, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1118-aws, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1142-raspi2, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1146-snapdragon, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-197-generic, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-197-generic-lpae, p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-197-lowlatency, p-cpe:/a:canonical:ubuntu_linux:linux-image-aws, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-utopic, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-vivid, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-wily, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-xenial, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-utopic, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-vivid, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-wily, p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial, p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm, p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency, p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-utopic, p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-vivid, p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-wily, p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial, p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2, p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon, p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual, p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-utopic, p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-vivid, p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-wily, p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-xenial

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/2/2020

Vulnerability Publication Date: 5/19/2020

Reference Information

CVE: CVE-2020-0427, CVE-2020-4788, CVE-2020-10135, CVE-2020-12352, CVE-2020-14351, CVE-2020-14390, CVE-2020-25211, CVE-2020-25284, CVE-2020-25643, CVE-2020-25645, CVE-2020-25705, CVE-2020-28915

USN: 4657-1