Detections
Analytics

Ubuntu 22.10 : Linux kernel vulnerabilities (USN-5970-1)

high Nessus Plugin ID 173374

Language:

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 22.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5970-1 advisory.

 - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.
 L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)

 - Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs;
 the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). (CVE-2022-42328, CVE-2022-42329)

 - A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side. (CVE-2022-4382)

 - A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel.
 SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e (CVE-2023-0266)

 - A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service.
 (CVE-2023-0469)

 - In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. (CVE-2023-23559)

 - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129) (CVE-2023-0045)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

https://ubuntu.com/security/notices/USN-5970-1

Plugin Details

Severity: High

ID: 173374

File Name: ubuntu_USN-5970-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 3/24/2023

Updated: 5/8/2023

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-0045

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2022-2196

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:22.10, p-cpe:/a:canonical:ubuntu_linux:linux-image--aws, p-cpe:/a:canonical:ubuntu_linux:linux-image--azure, p-cpe:/a:canonical:ubuntu_linux:linux-image--generic, p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-64k, p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-lpae, p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency, p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency-64k, p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi, p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi-nolpae, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1015--raspi, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1015--raspi-nolpae, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1019-oracle, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1020-kvm, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1021--lowlatency, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1021--lowlatency-64k, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1022--aws, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1022--azure, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-38--generic, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-38--generic-64k, p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-38--generic-lpae, p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm, p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/23/2023

Vulnerability Publication Date: 12/7/2022

CISA Known Exploited Vulnerability Due Dates: 4/20/2023

Reference Information

CVE: CVE-2022-2196, CVE-2022-42328, CVE-2022-42329, CVE-2022-4382, CVE-2023-0045, CVE-2023-0266, CVE-2023-0469, CVE-2023-1195, CVE-2023-23559

USN: 5970-1