Ubuntu 16.04 ESM : Linux kernel vulnerabilities (USN-5650-1)

high Nessus Plugin ID 165602

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5650-1 advisory.

- A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)

- When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. (CVE-2021-33655)

- When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
(CVE-2021-33656)

- A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace. (CVE-2022-0850)

- A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability. (CVE-2022-1199)

- A use-after-free flaw was found in the Linux kernel's Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system. (CVE-2022-1204)

- A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc. (CVE-2022-1729)

- An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)

- A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.
(CVE-2022-2964)

- A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)

- A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)

- A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.
(CVE-2022-3202)

- Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)

- nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

https://ubuntu.com/security/notices/USN-5650-1

Plugin Details

Severity: High

ID: 165602

File Name: ubuntu_USN-5650-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 9/30/2022

Updated: 9/30/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.6

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-0850

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-2978

Vulnerability Information

CPE: p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-generic:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-lowlatency:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-aws:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-kvm:*:*:*:*:*:*:*, cpe:2.3:o:canonical:ubuntu_linux:16.04:-:esm:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.4.0-1114-kvm:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.4.0-1151-aws:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.4.0-234-generic:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.4.0-234-lowlatency:*:*:*:*:*:*:*

Required KB Items: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release

Exploit Ease: No known exploits are available

Patch Publication Date: 9/30/2022

Vulnerability Publication Date: 4/18/2022

Reference Information

CVE: CVE-2021-4037, CVE-2022-0850, CVE-2022-1204, CVE-2022-1199, CVE-2022-1729, CVE-2021-33655, CVE-2021-33656, CVE-2022-36946, CVE-2022-20368, CVE-2022-2639, CVE-2022-2978, CVE-2022-2964, CVE-2022-3028, CVE-2022-3202

USN: 5650-1