Ubuntu 16.04 LTS : Linux kernel (Qualcomm Snapdragon) vulnerability (USN-2965-4)

critical Nessus Plugin ID 91085

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2965-4 advisory.

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689)

Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

https://ubuntu.com/security/notices/USN-2965-4

Plugin Details

Severity: Critical

ID: 91085

File Name: ubuntu_USN-2965-4.nasl

Version: 2.20

Type: local

Agent: unix

Published: 5/12/2016

Updated: 8/27/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-3955

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1013-snapdragon, cpe:/o:canonical:ubuntu_linux:16.04:-:lts

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/6/2016

Vulnerability Publication Date: 4/12/2016

Exploitable With

Metasploit (Linux BPF doubleput UAF Privilege Escalation)

Reference Information

CVE: CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2188, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140, CVE-2016-3156, CVE-2016-3157, CVE-2016-3672, CVE-2016-3689, CVE-2016-3951, CVE-2016-3955, CVE-2016-4557

USN: 2965-4