Vulnerabilities > CVE-2004-0495 - Device Driver vulnerability in Linux Kernel

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
avaya
gentoo
linux
redhat
suse
conectiva
nessus

Summary

Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-260.NASL
    descriptionUpdated kernel packages for Red Hat Enterprise Linux 2.1 that fix security vulnerabilities are now available. The Linux kernel handles the basic functions of the operating system. A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 that allowed local users to cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0554 to this issue. Enhancements were committed to the 2.6 kernel by Al Viro which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. A subset of these fixes also applies to various drivers in the 2.4 kernel. These flaws could lead to privilege escalation or access to kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0495 to these issues. All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. These packages contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id12509
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12509
    titleRHEL 2.1 : kernel (RHSA-2004:260)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-255.NASL
    descriptionUpdated kernel packages for Red Hat Enterprise Linux 3 that fix security vulnerabilities are now available. The Linux kernel handles the basic functions of the operating system. A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 that allowed local users to cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0554 to this issue. Another flaw was discovered in an error path supporting the clone() system call that allowed local users to cause a denial of service (memory leak) by passing invalid arguments to clone() running in an infinite loop of a user
    last seen2020-06-01
    modified2020-06-02
    plugin id12508
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12508
    titleRHEL 3 : kernel (RHSA-2004:255)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2004_020.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2004:020 (kernel). Multiple security vulnerabilities are being addressed with this security update of the Linux kernel. Kernel memory access vulnerabilities are fixed in the e1000, decnet, acpi_asus, alsa, airo/WLAN, pss and mpu401 drivers. These vulnerabilities can lead to kernel memory read access, write access and local denial of service conditions, resulting in access to the root account for an attacker with a local account on the affected system. Missing Discretionary Access Control (DAC) checks in the chown(2) system call allow an attacker with a local account to change the group ownership of arbitrary files, which leads to root privileges on affected systems. It is specific to kernel version 2.6 based systems such as the SUSE Linux 9.1 product, that only local shell access is needed to exploit this vulnerability. An interesting variant of the missing checks is that the ownership of files in the /proc filesystem can be altered, while the changed ownership still does not allow the files to be accessed as a non-root user for to be able to exploit the vulnerability. Systems that are based on a version 2.4 kernel are not vulnerable to the /proc weakness, and exploitation of the weakness requires the use of the kernel NFS server (knfsd). If the knfsd NFS server is not activated (it is off by default), the vulnerability is not exposed. These issues related to the chown(2) system call have been discovered by Michael Schroeder and Ruediger Oertel, both SUSE LINUX. The only network-related vulnerability fixed with the kernel updates that are subject to this announcement affect the SUSE Linux 9.1 distribution only, as it is based on a 2.6 kernel. Found and reported to bugtraq by Adam Osuchowski and Tomasz Dubinski, the vulnerability allows a remote attacker to send a specially crafted TCP packet to a vulnerable system, causing that system to stall if it makes use of TCP option matching netfilter rules. In some rare configurations of the SUSE Linux 9.1 distribution, some users have experienced stalling systems during system startup. These problems are fixed with this kernel update.
    last seen2020-06-01
    modified2020-06-02
    plugin id13836
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13836
    titleSUSE-SA:2004:020: kernel
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-186.NASL
    descriptionNumerous problems referencing userspace memory were identified in several device drivers by Al Viro using the sparse tool. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0495 to this issue. A problem was found where userspace code could execute certain floating point instructions from signal handlers which would cause the kernel to lock up. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0554 to this issue. Previous kernels contained a patch against the framebuffer ioctl code which turned out to be unnecessary. This has been dropped in this update. A memory leak in the E1000 network card driver has been fixed. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0535 to this issue. Previously, inappropriate permissions were set on /proc/scsi/qla2300/HbaApiNode The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0587 to this issue. Support for systems with more than 4GB of memory was previously unavailable. The 686 SMP kernel now supports this configuration. (Bugzilla #122960) Support for SMP on 586
    last seen2020-06-01
    modified2020-06-02
    plugin id13731
    published2004-07-23
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13731
    titleFedora Core 1 : kernel-2.4.22-1.2194.nptl (2004-186)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-066.NASL
    descriptionA number of vulnerabilities were discovered in the Linux kernel that are corrected with this update : Multiple vulnerabilities were found by the Sparse source checker that could allow local users to elevate privileges or gain access to kernel memory (CVE-2004-0495). Missing Discretionary Access Controls (DAC) checks in the chown(2) system call could allow an attacker with a local account to change the group ownership of arbitrary files, which could lead to root privileges on affected systems (CVE-2004-0497). An information leak vulnerability that affects only ia64 systems was fixed (CVE-2004-0565). Insecure permissions on /proc/scsi/qla2300/HbaApiNode could allow a local user to cause a DoS on the system; this only affects Mandrakelinux 9.2 and below (CVE-2004-0587). A vulnerability that could crash the kernel has also been fixed. This crash, however, can only be exploited via root (in br_if.c). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesoft.com/security/kernelupdate
    last seen2020-06-01
    modified2020-06-02
    plugin id14165
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14165
    titleMandrake Linux Security Advisory : kernel (MDKSA-2004:066)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200407-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200407-02 (Linux Kernel: Multiple vulnerabilities) Multiple flaws have been discovered in the Linux kernel. This advisory corrects the following issues: CAN-2004-0109: This vulnerability allows privilege escalation using ISO9660 file systems through a buffer overflow via a malformed file system containing a long symbolic link entry. This can allow arbitrary code execution at kernel level. CAN-2004-0133: The XFS file system in 2.4 series kernels has an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw block device. CAN-2004-0177: The ext3 file system in 2.4 series kernels does not properly initialize journal descriptor blocks, causing an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw device. CAN-2004-0181: The JFS file system in 2.4 series kernels has an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw device. CAN-2004-0178: The OSS Sound Blaster [R] Driver has a Denial of Service vulnerability since it does not handle certain sample sizes properly. This allows local users to hang the kernel. CAN-2004-0228: Due to an integer signedness error in the CPUFreq /proc handler code in 2.6 series Linux kernels, local users can escalate their privileges. CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers does not use the fb_copy_cmap method of copying structures. The impact of this issue is unknown, however. CAN-2004-0394: A buffer overflow in the panic() function of 2.4 series Linux kernels exists, but it may not be exploitable under normal circumstances due to its functionality. CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series Linux kernels does not properly decrement the mm_count counter when an error occurs, triggering a memory leak that allows local users to cause a Denial of Service by exhausting other applications of memory; causing the kernel to panic or to kill services. CAN-2004-0495: Multiple vulnerabilities found by the Sparse source checker in the kernel allow local users to escalate their privileges or gain access to kernel memory. CAN-2004-0535: The e1000 NIC driver does not properly initialize memory structures before using them, allowing users to read kernel memory. CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an AMD64 architecture allow local users to cause a Denial of Service by a total system hang, due to an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions. Local DoS in PaX: If ASLR is enabled as a GRSecurity PaX feature, a Denial of Service can be achieved by putting the kernel into an infinite loop. Only 2.6 series GRSecurity kernels are affected by this issue. RSBAC 1.2.3 JAIL issues: A flaw in the RSBAC JAIL implementation allows suid/sgid files to be created inside the jail since the relevant module does not check the corresponding mode values. This can allow privilege escalation inside the jail. Only rsbac-(dev-)sources are affected by this issue. Impact : Arbitrary code with normal non-super-user privileges may be able to exploit any of these vulnerabilities; gaining kernel level access to memory structures and hardware devices. This may be used for further exploitation of the system, to leak sensitive data or to cause a Denial of Service on the affected kernel. Workaround : Although users may not be affected by certain vulnerabilities, all kernels are affected by the CAN-2004-0394, CAN-2004-0427 and CAN-2004-0554 issues which have no workaround. As a result, all users are urged to upgrade their kernels to patched versions.
    last seen2020-06-01
    modified2020-06-02
    plugin id14535
    published2004-08-30
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14535
    titleGLSA-200407-02 : Linux Kernel: Multiple vulnerabilities

Oval

  • accepted2013-04-29T04:02:22.539-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    descriptionMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.
    familyunix
    idoval:org.mitre.oval:def:10155
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.
    version26
  • accepted2004-10-06T12:00:00.000-04:00
    classvulnerability
    contributors
    nameJay Beale
    organizationBastille Linux
    descriptionMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.
    familyunix
    idoval:org.mitre.oval:def:2961
    statusaccepted
    submitted2004-09-02T12:06:00.000-04:00
    titleMultiple Privilege Escalation Vulnerabilities in Linux Kernel
    version4

Redhat

advisories
  • rhsa
    idRHSA-2004:255
  • rhsa
    idRHSA-2004:260
rpms
  • kernel-0:2.4.21-15.0.2.EL
  • kernel-BOOT-0:2.4.21-15.0.2.EL
  • kernel-debuginfo-0:2.4.21-15.0.2.EL
  • kernel-doc-0:2.4.21-15.0.2.EL
  • kernel-hugemem-0:2.4.21-15.0.2.EL
  • kernel-hugemem-unsupported-0:2.4.21-15.0.2.EL
  • kernel-smp-0:2.4.21-15.0.2.EL
  • kernel-smp-unsupported-0:2.4.21-15.0.2.EL
  • kernel-source-0:2.4.21-15.0.2.EL
  • kernel-unsupported-0:2.4.21-15.0.2.EL