Detections
Analytics

Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4114)

high Nessus Plugin ID 110071

Language:

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4114 advisory.

 - KVM: SVM: Move spec control call after restore of GS (Thomas Gleixner) {CVE-2018-3639}
 - x86/bugs: Fix the parameters alignment and missing void (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Make cpu_show_common() static (Jiri Kosina) {CVE-2018-3639}
 - x86/bugs: Fix __ssb_select_mitigation() return type (Jiri Kosina) {CVE-2018-3639}
 - Documentation/spec_ctrl: Do some minor cleanups (Borislav Petkov) {CVE-2018-3639}
 - proc: Use underscores for SSBD in 'status' (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Rename _RDS to _SSBD (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/speculation: Make 'seccomp' the default mode for Speculative Store Bypass (Kees Cook) {CVE-2018-3639}
 - seccomp: Move speculation migitation control to arch code (Thomas Gleixner) {CVE-2018-3639}
 - seccomp: Add filter flag to opt-out of SSB mitigation (Kees Cook) {CVE-2018-3639}
 - seccomp: Use PR_SPEC_FORCE_DISABLE (Thomas Gleixner) {CVE-2018-3639}
 - prctl: Add force disable speculation (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - seccomp: Enable speculation flaw mitigations (Kees Cook) {CVE-2018-3639}
 - proc: Provide details on speculation flaw mitigations (Kees Cook) {CVE-2018-3639}
 - nospec: Allow getting/setting on non-current task (Kees Cook) {CVE-2018-3639}
 - x86/bugs/IBRS: Disable SSB (RDS) if IBRS is sslected for spectre_v2. (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/speculation: Add prctl for Speculative Store Bypass mitigation (Thomas Gleixner) {CVE-2018-3639}
 - x86: thread_info.h: move RDS from index 5 to 23 (Mihai Carabas) {CVE-2018-3639}
 - x86/process: Allow runtime control of Speculative Store Bypass (Thomas Gleixner) {CVE-2018-3639}
 - prctl: Add speculation control prctls (Thomas Gleixner) {CVE-2018-3639}
 - x86/speculation: Create spec-ctrl.h to avoid include hell (Thomas Gleixner) {CVE-2018-3639}
 - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Whitelist allowed SPEC_CTRL MSR values (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs/intel: Set proper CPU features and setup RDS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/cpufeatures: Add X86_FEATURE_RDS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Expose /sys/../spec_store_bypass (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/cpu/intel: Add Knights Mill to Intel family (Piotr Luc) {CVE-2018-3639}
 - x86/cpu: Rename Merrifield2 to Moorefield (Andy Shevchenko) {CVE-2018-3639}
 - x86/bugs, KVM: Support the combination of guest and host IBRS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs/IBRS: Warn if IBRS is enabled during boot. (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs/IBRS: Use variable instead of defines for enabling IBRS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Concentrate bug reporting into a separate function (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs: Concentrate bug detection into a separate function (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/bugs/IBRS: Turn on IBRS in spectre_v2_select_mitigation (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - x86/msr: Add SPEC_CTRL_IBRS.. (Konrad Rzeszutek Wilk) {CVE-2018-3639}
 - RDS: null pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 27422832] {CVE-2018-5333}
 - ACPI: sbshc: remove raw pointer from printk() message (Greg Kroah-Hartman) [Orabug: 27501257] {CVE-2018-5750}
 - futex: Prevent overflow by strengthen input validation (Li Jinyue) [Orabug: 27539548] {CVE-2018-6927}
 - dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao) [Orabug: 27677556] {CVE-2017-18203}
 - mm/mempolicy: fix use after free when calling get_mempolicy (zhong jiang) [Orabug: 27963519] {CVE-2018-10675}
 - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27963530] {CVE-2018-8781}
 - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27963576] {CVE-2018-10323}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2018-4114.html

Plugin Details

Severity: High

ID: 110071

File Name: oraclelinux_ELSA-2018-4114.nasl

Version: 1.15

Type: local

Agent: unix

Published: 5/24/2018

Updated: 10/24/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2018-10675

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2018-6927

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek-debug-devel, cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, cpe:/o:oracle:linux:6

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/22/2018

Vulnerability Publication Date: 11/30/2017

Exploitable With

Metasploit (Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation)

Reference Information

CVE: CVE-2017-1000410, CVE-2017-18203, CVE-2018-10323, CVE-2018-10675, CVE-2018-3639, CVE-2018-5333, CVE-2018-5750, CVE-2018-6927

IAVA: 2018-A-0170, 2019-A-0025-S