Vulnerabilities > CVE-2004-0535
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources.
Vulnerable Configurations
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-062.NASL description A vulnerability in the e1000 driver for the Linux kernel 2.4.26 and earlier was discovered by Chris Wright. The e1000 driver does not properly reset memory or restrict the maximum length of a data structure, which can allow a local user to read portions of kernel memory (CVE-2004-0535). A vulnerability was also discovered in the kernel were a certain C program would trigger a floating point exception that would crash the kernel. This vulnerability can only be triggered locally by users with shell access (CVE-2004-0554). last seen 2020-06-01 modified 2020-06-02 plugin id 14161 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14161 title Mandrake Linux Security Advisory : kernel (MDKSA-2004:062) NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_020.NASL description The remote host is missing the patch for the advisory SUSE-SA:2004:020 (kernel). Multiple security vulnerabilities are being addressed with this security update of the Linux kernel. Kernel memory access vulnerabilities are fixed in the e1000, decnet, acpi_asus, alsa, airo/WLAN, pss and mpu401 drivers. These vulnerabilities can lead to kernel memory read access, write access and local denial of service conditions, resulting in access to the root account for an attacker with a local account on the affected system. Missing Discretionary Access Control (DAC) checks in the chown(2) system call allow an attacker with a local account to change the group ownership of arbitrary files, which leads to root privileges on affected systems. It is specific to kernel version 2.6 based systems such as the SUSE Linux 9.1 product, that only local shell access is needed to exploit this vulnerability. An interesting variant of the missing checks is that the ownership of files in the /proc filesystem can be altered, while the changed ownership still does not allow the files to be accessed as a non-root user for to be able to exploit the vulnerability. Systems that are based on a version 2.4 kernel are not vulnerable to the /proc weakness, and exploitation of the weakness requires the use of the kernel NFS server (knfsd). If the knfsd NFS server is not activated (it is off by default), the vulnerability is not exposed. These issues related to the chown(2) system call have been discovered by Michael Schroeder and Ruediger Oertel, both SUSE LINUX. The only network-related vulnerability fixed with the kernel updates that are subject to this announcement affect the SUSE Linux 9.1 distribution only, as it is based on a 2.6 kernel. Found and reported to bugtraq by Adam Osuchowski and Tomasz Dubinski, the vulnerability allows a remote attacker to send a specially crafted TCP packet to a vulnerable system, causing that system to stall if it makes use of TCP option matching netfilter rules. In some rare configurations of the SUSE Linux 9.1 distribution, some users have experienced stalling systems during system startup. These problems are fixed with this kernel update. last seen 2020-06-01 modified 2020-06-02 plugin id 13836 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13836 title SUSE-SA:2004:020: kernel NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-418.NASL description Updated kernel packages that fix potential information leaks and a incorrect driver permission for Red Hat Enterprise Linux 2.1 are now available. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct two minor issues : An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CVE-2004-0535). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CVE-2004-0587). All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to these erratum packages which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14240 published 2004-08-09 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14240 title RHEL 2.1 : kernel (RHSA-2004:418) NASL family Fedora Local Security Checks NASL id FEDORA_2004-186.NASL description Numerous problems referencing userspace memory were identified in several device drivers by Al Viro using the sparse tool. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0495 to this issue. A problem was found where userspace code could execute certain floating point instructions from signal handlers which would cause the kernel to lock up. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0554 to this issue. Previous kernels contained a patch against the framebuffer ioctl code which turned out to be unnecessary. This has been dropped in this update. A memory leak in the E1000 network card driver has been fixed. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0535 to this issue. Previously, inappropriate permissions were set on /proc/scsi/qla2300/HbaApiNode The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0587 to this issue. Support for systems with more than 4GB of memory was previously unavailable. The 686 SMP kernel now supports this configuration. (Bugzilla #122960) Support for SMP on 586 last seen 2020-06-01 modified 2020-06-02 plugin id 13731 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13731 title Fedora Core 1 : kernel-2.4.22-1.2194.nptl (2004-186) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-413.NASL description Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct a number of minor security issues : An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CVE-2004-0535). A bug in the SoundBlaster 16 code which does not properly handle certain sample sizes. This flaw could be used by local users to crash a system (CVE-2004-0178). A possible NULL pointer dereference in the Linux kernel prior to 2.4.26 on the Itanium platform could allow a local user to crash a system (CVE-2004-0447). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CVE-2004-0587). All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. last seen 2020-06-01 modified 2020-06-02 plugin id 14239 published 2004-08-09 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14239 title RHEL 3 : kernel (RHSA-2004:413) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200407-02.NASL description The remote host is affected by the vulnerability described in GLSA-200407-02 (Linux Kernel: Multiple vulnerabilities) Multiple flaws have been discovered in the Linux kernel. This advisory corrects the following issues: CAN-2004-0109: This vulnerability allows privilege escalation using ISO9660 file systems through a buffer overflow via a malformed file system containing a long symbolic link entry. This can allow arbitrary code execution at kernel level. CAN-2004-0133: The XFS file system in 2.4 series kernels has an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw block device. CAN-2004-0177: The ext3 file system in 2.4 series kernels does not properly initialize journal descriptor blocks, causing an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw device. CAN-2004-0181: The JFS file system in 2.4 series kernels has an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw device. CAN-2004-0178: The OSS Sound Blaster [R] Driver has a Denial of Service vulnerability since it does not handle certain sample sizes properly. This allows local users to hang the kernel. CAN-2004-0228: Due to an integer signedness error in the CPUFreq /proc handler code in 2.6 series Linux kernels, local users can escalate their privileges. CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers does not use the fb_copy_cmap method of copying structures. The impact of this issue is unknown, however. CAN-2004-0394: A buffer overflow in the panic() function of 2.4 series Linux kernels exists, but it may not be exploitable under normal circumstances due to its functionality. CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series Linux kernels does not properly decrement the mm_count counter when an error occurs, triggering a memory leak that allows local users to cause a Denial of Service by exhausting other applications of memory; causing the kernel to panic or to kill services. CAN-2004-0495: Multiple vulnerabilities found by the Sparse source checker in the kernel allow local users to escalate their privileges or gain access to kernel memory. CAN-2004-0535: The e1000 NIC driver does not properly initialize memory structures before using them, allowing users to read kernel memory. CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an AMD64 architecture allow local users to cause a Denial of Service by a total system hang, due to an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions. Local DoS in PaX: If ASLR is enabled as a GRSecurity PaX feature, a Denial of Service can be achieved by putting the kernel into an infinite loop. Only 2.6 series GRSecurity kernels are affected by this issue. RSBAC 1.2.3 JAIL issues: A flaw in the RSBAC JAIL implementation allows suid/sgid files to be created inside the jail since the relevant module does not check the corresponding mode values. This can allow privilege escalation inside the jail. Only rsbac-(dev-)sources are affected by this issue. Impact : Arbitrary code with normal non-super-user privileges may be able to exploit any of these vulnerabilities; gaining kernel level access to memory structures and hardware devices. This may be used for further exploitation of the system, to leak sensitive data or to cause a Denial of Service on the affected kernel. Workaround : Although users may not be affected by certain vulnerabilities, all kernels are affected by the CAN-2004-0394, CAN-2004-0427 and CAN-2004-0554 issues which have no workaround. As a result, all users are urged to upgrade their kernels to patched versions. last seen 2020-06-01 modified 2020-06-02 plugin id 14535 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14535 title GLSA-200407-02 : Linux Kernel: Multiple vulnerabilities
Oval
| accepted | 2013-04-29T04:11:46.195-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:11136 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources. | ||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125168
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000845
- http://lwn.net/Articles/91155/
- http://security.gentoo.org/glsa/glsa-200407-02.xml
- http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.27.log
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:062
- http://www.novell.com/linux/security/advisories/2004_20_kernel.html
- http://www.redhat.com/support/errata/RHSA-2004-413.html
- http://www.redhat.com/support/errata/RHSA-2004-418.html
- http://www.securityfocus.com/bid/10352
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16159
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11136