Detections
Analytics

Ubuntu 22.04 LTS / 23.04 : Linux kernel vulnerabilities (USN-6412-1)

critical Nessus Plugin ID 182530

Language:

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 22.04 LTS / 23.04 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6412-1 advisory.

 - An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free. (CVE-2022-45886)

 - An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call. (CVE-2022-45887)

 - An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.
 (CVE-2022-45919)

 - In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. (CVE-2022-48425)

 - A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. (CVE-2023-1206)

 - A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. (CVE-2023-20569)

 - A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol.
 This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. (CVE-2023-2156)

 - A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
 (CVE-2023-3212)

 - An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts. (CVE-2023-38427)

 - An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read. (CVE-2023-38431)

 - A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)

 - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
 correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and that turns out to not be accurate. (CVE-2023-4194)

 - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. (CVE-2023-4273)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

https://ubuntu.com/security/notices/USN-6412-1

Plugin Details

Severity: Critical

ID: 182530

File Name: ubuntu_USN-6412-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/4/2023

Updated: 1/9/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-38427

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:22.04:-:lts, cpe:/o:canonical:ubuntu_linux:23.04, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1006-starfive, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1013-aws, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1013-oracle, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1014-azure-fde, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1014-raspi, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-1016-gcp, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-34-generic, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-34-generic-64k, p-cpe:/a:canonical:ubuntu_linux:linux-image-6.2.0-34-generic-lpae

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/4/2023

Vulnerability Publication Date: 11/25/2022

Reference Information

CVE: CVE-2022-45886, CVE-2022-45887, CVE-2022-45919, CVE-2022-48425, CVE-2023-1206, CVE-2023-20569, CVE-2023-2156, CVE-2023-3212, CVE-2023-38427, CVE-2023-38431, CVE-2023-4155, CVE-2023-4194, CVE-2023-4273

USN: 6412-1