The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4299 advisory.

  - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length     inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel     crash) or have unspecified other impact by executing a crafted sequence of system calls that use the     blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. (CVE-2017-17805)

  - It was found that the raw midi kernel driver does not protect against concurrent access which leads to a     double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part     of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for     privilege escalation. (CVE-2018-10902)

  - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the     underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based     hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a     kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing     SHA-3 initialization. (CVE-2017-17806)

  - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel     through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM     ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the     location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)

  - An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may     occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)

  - In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make     this filesystem non-operational until the next mount by triggering an unchecked error condition during an     xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles     ATTR_REPLACE operations with conversion of an attr from short to long form. (CVE-2018-18690)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4299)

high Nessus Plugin ID 119534

Version 1.10