Vulnerabilities > CVE-2004-0949

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times.

Vulnerable Configurations

Part Description Count
OS
Suse
9
OS
Linux
95
OS
Redhat
14
OS
Trustix
4
OS
Ubuntu
2

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1067.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.16-1woody2 arm/lart 20040419woody1 arm/netwinder 20040419woody1 arm/riscpc 20040419woody1
    last seen2020-06-01
    modified2020-06-02
    plugin id22609
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22609
    titleDebian DSA-1067-1 : kernel-source-2.4.16 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1067. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22609);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504");
      script_xref(name:"DSA", value:"1067");
    
      script_name(english:"Debian DSA-1067-1 : kernel-source-2.4.16 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several local and remote vulnerabilities have been discovered in the
    Linux kernel that may lead to a denial of service or the execution of
    arbitrary code. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CVE-2004-0427
        A local denial of service vulnerability in do_fork() has
        been found.
    
      - CVE-2005-0489
        A local denial of service vulnerability in proc memory
        handling has been found.
    
      - CVE-2004-0394
        A buffer overflow in the panic handling code has been
        found.
    
      - CVE-2004-0447
        A local denial of service vulnerability through a NULL
        pointer dereference in the IA64 process handling code
        has been found.
    
      - CVE-2004-0554
        A local denial of service vulnerability through an
        infinite loop in the signal handler code has been found.
    
      - CVE-2004-0565
        An information leak in the context switch code has been
        found on the IA64 architecture.
    
      - CVE-2004-0685
        Unsafe use of copy_to_user in USB drivers may disclose
        sensitive information.
    
      - CVE-2005-0001
        A race condition in the i386 page fault handler may
        allow privilege escalation.
    
      - CVE-2004-0883
        Multiple vulnerabilities in the SMB filesystem code may
        allow denial of service or information disclosure.
    
      - CVE-2004-0949
        An information leak discovered in the SMB filesystem
        code.
    
      - CVE-2004-1016
        A local denial of service vulnerability has been found
        in the SCM layer.
    
      - CVE-2004-1333
        An integer overflow in the terminal code may allow a
        local denial of service vulnerability.
    
      - CVE-2004-0997
        A local privilege escalation in the MIPS assembly code
        has been found.
    
      - CVE-2004-1335
        A memory leak in the ip_options_get() function may lead
        to denial of service.
    
      - CVE-2004-1017
        Multiple overflows exist in the io_edgeport driver which
        might be usable as a denial of service attack vector.
    
      - CVE-2005-0124
        Bryan Fulton reported a bounds checking bug in the
        coda_pioctl function which may allow local users to
        execute arbitrary code or trigger a denial of service
        attack.
    
      - CVE-2003-0984
        Inproper initialization of the RTC may disclose
        information.
    
      - CVE-2004-1070
        Insufficient input sanitising in the load_elf_binary()
        function may lead to privilege escalation.
    
      - CVE-2004-1071
        Incorrect error handling in the binfmt_elf loader may
        lead to privilege escalation.
    
      - CVE-2004-1072
        A buffer overflow in the binfmt_elf loader may lead to
        privilege escalation or denial of service.
    
      - CVE-2004-1073
        The open_exec function may disclose information.
    
      - CVE-2004-1074
        The binfmt code is vulnerable to denial of service
        through malformed a.out binaries.
    
      - CVE-2004-0138
        A denial of service vulnerability in the ELF loader has
        been found.
    
      - CVE-2004-1068
        A programming error in the unix_dgram_recvmsg() function
        may lead to privilege escalation.
    
      - CVE-2004-1234
        The ELF loader is vulnerable to denial of service
        through malformed binaries.
    
      - CVE-2005-0003
        Crafted ELF binaries may lead to privilege escalation,
        due to insufficient checking of overlapping memory
        regions.
    
      - CVE-2004-1235
        A race condition in the load_elf_library() and
        binfmt_aout() functions may allow privilege escalation.
    
      - CVE-2005-0504
        An integer overflow in the Moxa driver may lead to
        privilege escalation.
    
      - CVE-2005-0384
        A remote denial of service vulnerability has been found
        in the PPP driver.
    
      - CVE-2005-0135
        An IA64 specific local denial of service vulnerability
        has been found in the unw_unwind_to_user() function.
    
    The following matrix explains which kernel version for which
    architecture fixes the problems mentioned above :
    
                                   Debian 3.0 (woody)           
      Source                       2.4.16-1woody2               
      arm/lart                     20040419woody1               
      arm/netwinder                20040419woody1               
      arm/riscpc                   20040419woody1"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0394"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0447"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0554"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0565"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1016"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1333"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0997"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1017"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0124"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2003-0984"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1071"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0138"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1234"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0003"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1235"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0135"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1067"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the kernel package immediately and reboot the machine."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.16-lart");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.16-netwinder");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.16-riscpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.16");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/05/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.16", reference:"2.4.16-1woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.16", reference:"20040419woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.16-lart", reference:"20040419woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.16-netwinder", reference:"20040419woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.16-riscpc", reference:"20040419woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-source-2.4.16", reference:"2.4.16-1woody3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-549.NASL
    descriptionUpdated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. This update includes fixes for several security issues : A missing serialization flaw in unix_dgram_recvmsg was discovered that affects kernels prior to 2.4.28. A local user could potentially make use of a race condition in order to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1068 to this issue. Paul Starzetz of iSEC discovered various flaws in the ELF binary loader affecting kernels prior to 2.4.28. A local user could use thse flaws to gain read access to executable-only binaries or possibly gain privileges. (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, CVE-2004-1073) A flaw when setting up TSS limits was discovered that affects AMD AMD64 and Intel EM64T architecture kernels prior to 2.4.23. A local user could use this flaw to cause a denial of service (crash) or possibly gain privileges. (CVE-2004-0812) An integer overflow flaw was discovered in the ubsec_keysetup function in the Broadcom 5820 cryptonet driver. On systems using this driver, a local user could cause a denial of service (crash) or possibly gain elevated privileges. (CVE-2004-0619) Stefan Esser discovered various flaws including buffer overflows in the smbfs driver affecting kernels prior to 2.4.28. A local user may be able to cause a denial of service (crash) or possibly gain privileges. In order to exploit these flaws the user would require control of a connected Samba server. (CVE-2004-0883, CVE-2004-0949) SGI discovered a bug in the elf loader that affects kernels prior to 2.4.25 which could be triggered by a malformed binary. On architectures other than x86, a local user could create a malicious binary which could cause a denial of service (crash). (CVE-2004-0136) Conectiva discovered flaws in certain USB drivers affecting kernels prior to 2.4.27 which used the copy_to_user function on uninitialized structures. These flaws could allow local users to read small amounts of kernel memory. (CVE-2004-0685) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen2020-06-01
    modified2020-06-02
    plugin id15944
    published2004-12-13
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15944
    titleRHEL 3 : kernel (RHSA-2004:549)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:549. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15944);
      script_version ("1.31");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-0136", "CVE-2004-0138", "CVE-2004-0619", "CVE-2004-0685", "CVE-2004-0812", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1191");
      script_xref(name:"RHSA", value:"2004:549");
    
      script_name(english:"RHEL 3 : kernel (RHSA-2004:549)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix several security issues in Red Hat
    Enterprise Linux 3 are now available.
    
    The Linux kernel handles the basic functions of the operating system.
    
    This update includes fixes for several security issues :
    
    A missing serialization flaw in unix_dgram_recvmsg was discovered that
    affects kernels prior to 2.4.28. A local user could potentially make
    use of a race condition in order to gain privileges. The Common
    Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
    name CVE-2004-1068 to this issue.
    
    Paul Starzetz of iSEC discovered various flaws in the ELF binary
    loader affecting kernels prior to 2.4.28. A local user could use thse
    flaws to gain read access to executable-only binaries or possibly gain
    privileges. (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072,
    CVE-2004-1073)
    
    A flaw when setting up TSS limits was discovered that affects AMD
    AMD64 and Intel EM64T architecture kernels prior to 2.4.23. A local
    user could use this flaw to cause a denial of service (crash) or
    possibly gain privileges. (CVE-2004-0812)
    
    An integer overflow flaw was discovered in the ubsec_keysetup function
    in the Broadcom 5820 cryptonet driver. On systems using this driver, a
    local user could cause a denial of service (crash) or possibly gain
    elevated privileges. (CVE-2004-0619)
    
    Stefan Esser discovered various flaws including buffer overflows in
    the smbfs driver affecting kernels prior to 2.4.28. A local user may
    be able to cause a denial of service (crash) or possibly gain
    privileges. In order to exploit these flaws the user would require
    control of a connected Samba server. (CVE-2004-0883, CVE-2004-0949)
    
    SGI discovered a bug in the elf loader that affects kernels prior to
    2.4.25 which could be triggered by a malformed binary. On
    architectures other than x86, a local user could create a malicious
    binary which could cause a denial of service (crash). (CVE-2004-0136)
    
    Conectiva discovered flaws in certain USB drivers affecting kernels
    prior to 2.4.27 which used the copy_to_user function on uninitialized
    structures. These flaws could allow local users to read small amounts
    of kernel memory. (CVE-2004-0685)
    
    All Red Hat Enterprise Linux 3 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0138"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0619"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0812"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1071"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:549"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-unsupported");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-unsupported");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-unsupported");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CAN-2004-0136", "CAN-2004-0619", "CAN-2004-0685", "CAN-2004-0812", "CAN-2004-0883", "CAN-2004-0949", "CAN-2004-1068", "CAN-2004-1070", "CAN-2004-1071", "CAN-2004-1072", "CAN-2004-1073", "CVE-2004-0138", "CVE-2004-0619", "CVE-2004-0685", "CVE-2004-0812", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1191");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2004:549");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:549";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"kernel-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i386", reference:"kernel-BOOT-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", reference:"kernel-doc-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-unsupported-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-unsupported-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-unsupported-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", reference:"kernel-source-2.4.21-20.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL3", reference:"kernel-unsupported-2.4.21-20.0.1.EL")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1082.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.1 (sarge) Source 2.4.17-1woody4 HP Precision architecture 32.5 Intel IA-64 architecture 011226.18 IBM S/390 architecture/image 2.4.17-2.woody.5 IBM S/390 architecture/patch 0.0.20020816-0.woody.4 PowerPC architecture (apus) 2.4.17-6 MIPS architecture 2.4.17-0.020226.2.woody7
    last seen2020-06-01
    modified2020-06-02
    plugin id22624
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22624
    titleDebian DSA-1082-1 : kernel-source-2.4.17 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1082. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22624);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504");
      script_xref(name:"DSA", value:"1082");
    
      script_name(english:"Debian DSA-1082-1 : kernel-source-2.4.17 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several local and remote vulnerabilities have been discovered in the
    Linux kernel that may lead to a denial of service or the execution of
    arbitrary code. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CVE-2004-0427
        A local denial of service vulnerability in do_fork() has
        been found.
    
      - CVE-2005-0489
        A local denial of service vulnerability in proc memory
        handling has been found.
    
      - CVE-2004-0394
        A buffer overflow in the panic handling code has been
        found.
    
      - CVE-2004-0447
        A local denial of service vulnerability through a NULL
        pointer dereference in the IA64 process handling code
        has been found.
    
      - CVE-2004-0554
        A local denial of service vulnerability through an
        infinite loop in the signal handler code has been found.
    
      - CVE-2004-0565
        An information leak in the context switch code has been
        found on the IA64 architecture.
    
      - CVE-2004-0685
        Unsafe use of copy_to_user in USB drivers may disclose
        sensitive information.
    
      - CVE-2005-0001
        A race condition in the i386 page fault handler may
        allow privilege escalation.
    
      - CVE-2004-0883
        Multiple vulnerabilities in the SMB filesystem code may
        allow denial of service or information disclosure.
    
      - CVE-2004-0949
        An information leak discovered in the SMB filesystem
        code.
    
      - CVE-2004-1016
        A local denial of service vulnerability has been found
        in the SCM layer.
    
      - CVE-2004-1333
        An integer overflow in the terminal code may allow a
        local denial of service vulnerability.
    
      - CVE-2004-0997
        A local privilege escalation in the MIPS assembly code
        has been found.
    
      - CVE-2004-1335
        A memory leak in the ip_options_get() function may lead
        to denial of service.
    
      - CVE-2004-1017
        Multiple overflows exist in the io_edgeport driver which
        might be usable as a denial of service attack vector.
    
      - CVE-2005-0124
        Bryan Fulton reported a bounds checking bug in the
        coda_pioctl function which may allow local users to
        execute arbitrary code or trigger a denial of service
        attack.
    
      - CVE-2003-0984
        Inproper initialization of the RTC may disclose
        information.
    
      - CVE-2004-1070
        Insufficient input sanitising in the load_elf_binary()
        function may lead to privilege escalation.
    
      - CVE-2004-1071
        Incorrect error handling in the binfmt_elf loader may
        lead to privilege escalation.
    
      - CVE-2004-1072
        A buffer overflow in the binfmt_elf loader may lead to
        privilege escalation or denial of service.
    
      - CVE-2004-1073
        The open_exec function may disclose information.
    
      - CVE-2004-1074
        The binfmt code is vulnerable to denial of service
        through malformed a.out binaries.
    
      - CVE-2004-0138
        A denial of service vulnerability in the ELF loader has
        been found.
    
      - CVE-2004-1068
        A programming error in the unix_dgram_recvmsg() function
        may lead to privilege escalation.
    
      - CVE-2004-1234
        The ELF loader is vulnerable to denial of service
        through malformed binaries.
    
      - CVE-2005-0003
        Crafted ELF binaries may lead to privilege escalation,
        due to insufficient checking of overlapping memory
        regions.
    
      - CVE-2004-1235
        A race condition in the load_elf_library() and
        binfmt_aout() functions may allow privilege escalation.
    
      - CVE-2005-0504
        An integer overflow in the Moxa driver may lead to
        privilege escalation.
    
      - CVE-2005-0384
        A remote denial of service vulnerability has been found
        in the PPP driver.
    
      - CVE-2005-0135
        An IA64 specific local denial of service vulnerability
        has been found in the unw_unwind_to_user() function.
    
    The following matrix explains which kernel version for which
    architecture fixes the problems mentioned above :
    
                                    Debian 3.1 (sarge)            
      Source                        2.4.17-1woody4                
      HP Precision architecture     32.5                          
      Intel IA-64 architecture      011226.18                     
      IBM S/390 architecture/image  2.4.17-2.woody.5              
      IBM S/390 architecture/patch  0.0.20020816-0.woody.4        
      PowerPC architecture (apus)   2.4.17-6                      
      MIPS architecture             2.4.17-0.020226.2.woody7"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0394"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0447"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0554"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0565"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1016"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1333"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0997"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1017"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0124"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2003-0984"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1071"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0138"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1234"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0003"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1235"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0135"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1082"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the kernel package immediately and reboot the machine."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-hppa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-ia64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-apus");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.17");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/05/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.17", reference:"2.4.17-1woody4")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17", reference:"2.4.17-2.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17-apus", reference:"2.4.17-6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17-hppa", reference:"32.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17-ia64", reference:"011226.18")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-32", reference:"32.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-32-smp", reference:"32.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-64", reference:"32.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-64-smp", reference:"32.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-apus", reference:"2.4.17-6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-itanium", reference:"011226.18")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-itanium-smp", reference:"011226.18")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-mckinley", reference:"011226.18")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-mckinley-smp", reference:"011226.18")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r3k-kn02", reference:"2.4.17-0.020226.2.woody7")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r4k-ip22", reference:"2.4.17-0.020226.2.woody7")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r4k-kn04", reference:"2.4.17-0.020226.2.woody7")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r5k-ip22", reference:"2.4.17-0.020226.2.woody7")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-s390", reference:"2.4.17-2.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-apus", reference:"2.4.17-6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.17-apus", reference:"2.4.17-6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.17-mips", reference:"2.4.17-0.020226.2.woody7")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.17-s390", reference:"0.0.20020816-0.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-source-2.4.17", reference:"2.4.17-1woody4")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-source-2.4.17-hppa", reference:"32.5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-source-2.4.17-ia64", reference:"011226.18")) flag++;
    if (deb_check(release:"3.0", prefix:"mips-tools", reference:"2.4.17-0.020226.2.woody7")) flag++;
    if (deb_check(release:"3.0", prefix:"mkcramfs", reference:"2.4.17-1woody3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-60-0.NASL
    descriptionCAN-2005-0001 : Paul Starzetz discovered a race condition in the Linux page fault handler code. This allowed an unprivileged user to gain root privileges on multiprocessor machines under some circumstances. This also affects the Hyper-Threading mode on Pentium 4 processors. http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660. html : Brad Spengler discovered that some device drivers used copy_from_user() (a function to copy data from userspace tools into kernel memory) with insufficient input validation. This potentially allowed users and/or malicious hardware to overwrite kernel memory which could result in a crash (Denial of Service) or even root privilege escalation. Additionally, this update corrects the SMB file system driver. USN-30-1 fixed some vulnerabilities in this driver (see CAN-2004-0883, CAN-2004-0949). However, it was found that these new validation checks were too strict, which cause some valid operations to fail. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20679
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20679
    titleUbuntu 4.10 : linux-source-2.6.8.1 vulnerabilities (USN-60-0)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-60-0. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20679);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2004-0883", "CVE-2004-0949", "CVE-2005-0001");
      script_xref(name:"USN", value:"60-0");
    
      script_name(english:"Ubuntu 4.10 : linux-source-2.6.8.1 vulnerabilities (USN-60-0)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CAN-2005-0001 :
    
    Paul Starzetz discovered a race condition in the Linux page fault
    handler code. This allowed an unprivileged user to gain root
    privileges on multiprocessor machines under some circumstances. This
    also affects the Hyper-Threading mode on Pentium 4 processors.
    
    http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660.
    html :
    
    Brad Spengler discovered that some device drivers used
    copy_from_user() (a function to copy data from userspace tools into
    kernel memory) with insufficient input validation. This potentially
    allowed users and/or malicious hardware to overwrite kernel memory
    which could result in a crash (Denial of Service) or even root
    privilege escalation.
    
    Additionally, this update corrects the SMB file system driver.
    USN-30-1 fixed some vulnerabilities in this driver (see CAN-2004-0883,
    CAN-2004-0949). However, it was found that these new validation checks
    were too strict, which cause some valid operations to fail.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-686-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-k8-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-686-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-k8-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-patch-debian-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"linux-doc-2.6.8.1", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-386", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-686", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-686-smp", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-generic", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-k8", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-k8-smp", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-xeon", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-386", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-686", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-686-smp", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-generic", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-k8", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-k8-smp", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-xeon", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-patch-debian-2.6.8.1", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-source-2.6.8.1", pkgver:"2.6.8.1-16.10")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-tree-2.6.8.1", pkgver:"2.6.8.1-16.10")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc-2.6.8.1 / linux-headers-2.6.8.1-4 / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-537.NASL
    descriptionUpdated openmotif packages that fix flaws in the Xpm image library are now available. OpenMotif provides libraries which implement the Motif industry standard graphical user interface. During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within OpenMotif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues. Users of OpenMotif are advised to upgrade to these erratum packages, which contain backported security patches to the embedded libXpm library.
    last seen2020-06-01
    modified2020-06-02
    plugin id15943
    published2004-12-13
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15943
    titleRHEL 2.1 / 3 : openmotif (RHSA-2004:537)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:537. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15943);
      script_version ("1.27");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-0687", "CVE-2004-0688", "CVE-2004-0883", "CVE-2004-0914", "CVE-2004-0949", "CVE-2004-1068", "CVE-2004-1071", "CVE-2004-1072");
      script_xref(name:"RHSA", value:"2004:537");
    
      script_name(english:"RHEL 2.1 / 3 : openmotif (RHSA-2004:537)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openmotif packages that fix flaws in the Xpm image library are
    now available.
    
    OpenMotif provides libraries which implement the Motif industry
    standard graphical user interface.
    
    During a source code audit, Chris Evans and others discovered several
    stack overflow flaws and an integer overflow flaw in the libXpm
    library used to decode XPM (X PixMap) images. A vulnerable version of
    this library was found within OpenMotif. An attacker could create a
    carefully crafted XPM file which would cause an application to crash
    or potentially execute arbitrary code if opened by a victim. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to
    these issues.
    
    Users of OpenMotif are advised to upgrade to these erratum packages,
    which contain backported security patches to the embedded libXpm
    library."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0687"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0688"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0914"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:537"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected openmotif, openmotif-devel and / or openmotif21
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openmotif");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openmotif-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openmotif21");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:537";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openmotif-2.1.30-13.21AS.4")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openmotif-devel-2.1.30-13.21AS.4")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"openmotif-2.2.3-4.RHEL3.4")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openmotif-devel-2.2.3-4.RHEL3.4")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i386", reference:"openmotif21-2.1.30-9.RHEL3.4")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openmotif / openmotif-devel / openmotif21");
      }
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-30-1.NASL
    descriptionCAN-2004-0883, CAN-2004-0949 : During an audit of the smb file system implementation within Linux, several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows. To exploit any of these vulnerabilities, an attacker needs control over the answers of the connected Samba server. This could be achieved by man-in-the-middle attacks or by taking over the Samba server with e. g. the recently disclosed vulnerability in Samba 3.x (see CAN-2004-0882). While any of these vulnerabilities can be easily used as remote denial of service exploits against Linux systems, it is unclear if it is possible for a skilled local or remote attacker to use any of the possible buffer overflows for arbitrary code execution in kernel space. So these bugs may theoretically lead to privilege escalation and total compromise of the whole system. http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt : Several flaws have been found in the Linux ELF binary loader
    last seen2020-06-01
    modified2020-06-02
    plugin id20646
    published2006-01-15
    reporterUbuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20646
    titleUbuntu 4.10 : linux-source-2.6.8.1 vulnerabilities (USN-30-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-30-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20646);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:59");
    
      script_cve_id("CVE-2004-0882", "CVE-2004-0883", "CVE-2004-0949");
      script_xref(name:"USN", value:"30-1");
    
      script_name(english:"Ubuntu 4.10 : linux-source-2.6.8.1 vulnerabilities (USN-30-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CAN-2004-0883, CAN-2004-0949 :
    
    During an audit of the smb file system implementation within Linux,
    several vulnerabilities were discovered ranging from out of bounds
    read accesses to kernel level buffer overflows.
    
    To exploit any of these vulnerabilities, an attacker needs
    control over the answers of the connected Samba server. This
    could be achieved by man-in-the-middle attacks or by taking
    over the Samba server with e. g. the recently disclosed
    vulnerability in Samba 3.x (see CAN-2004-0882).
    
    While any of these vulnerabilities can be easily used as
    remote denial of service exploits against Linux systems, it
    is unclear if it is possible for a skilled local or remote
    attacker to use any of the possible buffer overflows for
    arbitrary code execution in kernel space. So these bugs may
    theoretically lead to privilege escalation and total
    compromise of the whole system.
    
    http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt :
    
    Several flaws have been found in the Linux ELF binary loader's
    handling of setuid binaries. Nowadays ELF is the standard format for
    Linux executables and libraries. setuid binaries are programs that
    have the 'setuid' file permission bit set; they allow to execute a
    program under a user id different from the calling user and are mostly
    used to allow executing a program with root privileges to normal
    users.
    
    The vulnerabilities that were fixed in these updated kernel
    packages could lead Denial of Service attacks. They also
    might lead to execution of arbitrary code and privilege
    escalation on some platforms if an attacker is able to run
    setuid programs under some special system conditions (like
    very little remaining memory).
    
    Another flaw could allow an attacker to read supposedly
    unreadable, but executable suid binaries. The attacker can
    then use this to seek faults within the executable.
    
    http://marc.theaimsgroup.com/?l=linux-kernel&m=109776571411003&w=2 :
    
    Bernard Gagnon discovered a memory leak in the mmap raw packet socket
    implementation. When a client application (in ELF format) core dumps,
    a region of memory stays allocated as a ring buffer. This could be
    exploited by a malicious user who repeatedly crashes certain types of
    applications until the memory is exhausted, thus causing a Denial of
    Service.
    
    Reverted 486 emulation patch :
    
    Ubuntu kernels for the i386 platforms are compiled using the i486
    instruction set for performance reasons. Former Ubuntu kernels
    contained code which emulated the missing instructions on real 386
    processors. However, several actual and potential security flaws have
    been discovered in the code, and it was found to be unsupportable. It
    might be possible to exploit these vulnerabilities also on i486 and
    higher processors.
    
    Therefore support for real i386 processors has ceased. This
    updated kernel will only run on i486 and newer processors.
    
    Other architectures supported by Ubuntu (amd64, powerpc) are
    not affected.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3-686-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3-amd64-k8-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-3-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-3-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-3-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-3-686-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-3-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-3-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-3-amd64-k8-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-3-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-patch-debian-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/11/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"linux-doc-2.6.8.1", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3-386", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3-686", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3-686-smp", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3-amd64-generic", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3-amd64-k8", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3-amd64-k8-smp", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-3-amd64-xeon", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-3-386", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-3-686", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-3-686-smp", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-3-amd64-generic", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-3-amd64-k8", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-3-amd64-k8-smp", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-3-amd64-xeon", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-patch-debian-2.6.8.1", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-source-2.6.8.1", pkgver:"2.6.8.1-16.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"linux-tree-2.6.8.1", pkgver:"2.6.8.1-16.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc-2.6.8.1 / linux-headers-2.6.8.1-3 / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1070.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.19-4 Sun Sparc architecture 26woody1 Little endian MIPS architecture 0.020911.1.woody5
    last seen2020-06-01
    modified2020-06-02
    plugin id22612
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22612
    titleDebian DSA-1070-1 : kernel-source-2.4.19 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1070. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22612);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504");
      script_xref(name:"DSA", value:"1070");
    
      script_name(english:"Debian DSA-1070-1 : kernel-source-2.4.19 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several local and remote vulnerabilities have been discovered in the
    Linux kernel that may lead to a denial of service or the execution of
    arbitrary code. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CVE-2004-0427
        A local denial of service vulnerability in do_fork() has
        been found.
    
      - CVE-2005-0489
        A local denial of service vulnerability in proc memory
        handling has been found.
    
      - CVE-2004-0394
        A buffer overflow in the panic handling code has been
        found.
    
      - CVE-2004-0447
        A local denial of service vulnerability through a NULL
        pointer dereference in the IA64 process handling code
        has been found.
    
      - CVE-2004-0554
        A local denial of service vulnerability through an
        infinite loop in the signal handler code has been found.
    
      - CVE-2004-0565
        An information leak in the context switch code has been
        found on the IA64 architecture.
    
      - CVE-2004-0685
        Unsafe use of copy_to_user in USB drivers may disclose
        sensitive information.
    
      - CVE-2005-0001
        A race condition in the i386 page fault handler may
        allow privilege escalation.
    
      - CVE-2004-0883
        Multiple vulnerabilities in the SMB filesystem code may
        allow denial of service or information disclosure.
    
      - CVE-2004-0949
        An information leak discovered in the SMB filesystem
        code.
    
      - CVE-2004-1016
        A local denial of service vulnerability has been found
        in the SCM layer.
    
      - CVE-2004-1333
        An integer overflow in the terminal code may allow a
        local denial of service vulnerability.
    
      - CVE-2004-0997
        A local privilege escalation in the MIPS assembly code
        has been found.
    
      - CVE-2004-1335
        A memory leak in the ip_options_get() function may lead
        to denial of service.
    
      - CVE-2004-1017
        Multiple overflows exist in the io_edgeport driver which
        might be usable as a denial of service attack vector.
    
      - CVE-2005-0124
        Bryan Fulton reported a bounds checking bug in the
        coda_pioctl function which may allow local users to
        execute arbitrary code or trigger a denial of service
        attack.
    
      - CVE-2003-0984
        Inproper initialization of the RTC may disclose
        information.
    
      - CVE-2004-1070
        Insufficient input sanitising in the load_elf_binary()
        function may lead to privilege escalation.
    
      - CVE-2004-1071
        Incorrect error handling in the binfmt_elf loader may
        lead to privilege escalation.
    
      - CVE-2004-1072
        A buffer overflow in the binfmt_elf loader may lead to
        privilege escalation or denial of service.
    
      - CVE-2004-1073
        The open_exec function may disclose information.
    
      - CVE-2004-1074
        The binfmt code is vulnerable to denial of service
        through malformed a.out binaries.
    
      - CVE-2004-0138
        A denial of service vulnerability in the ELF loader has
        been found.
    
      - CVE-2004-1068
        A programming error in the unix_dgram_recvmsg() function
        may lead to privilege escalation.
    
      - CVE-2004-1234
        The ELF loader is vulnerable to denial of service
        through malformed binaries.
    
      - CVE-2005-0003
        Crafted ELF binaries may lead to privilege escalation,
        due to insufficient checking of overlapping memory
        regions.
    
      - CVE-2004-1235
        A race condition in the load_elf_library() and
        binfmt_aout() functions may allow privilege escalation.
    
      - CVE-2005-0504
        An integer overflow in the Moxa driver may lead to
        privilege escalation.
    
      - CVE-2005-0384
        A remote denial of service vulnerability has been found
        in the PPP driver.
    
      - CVE-2005-0135
        An IA64 specific local denial of service vulnerability
        has been found in the unw_unwind_to_user() function.
    
    The following matrix explains which kernel version for which
    architecture fixes the problems mentioned above :
    
                                       Debian 3.0 (woody)               
      Source                           2.4.19-4                         
      Sun Sparc architecture           26woody1                         
      Little endian MIPS architecture  0.020911.1.woody5"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0394"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0447"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0554"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0565"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1016"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1333"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0997"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1017"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0124"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2003-0984"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1071"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0138"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1234"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0003"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1235"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0135"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1070"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the kernel package immediately and reboot the machine."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-sparc-2.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.19-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.19");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/05/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.19", reference:"2.4.19-4.woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-sparc", reference:"22woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.19", reference:"2.4.19-0.020911.1.woody5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.19-sparc", reference:"26woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-sun4u", reference:"22woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-sun4u-smp", reference:"22woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-r4k-ip22", reference:"2.4.19-0.020911.1.woody5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-r5k-ip22", reference:"2.4.19-0.020911.1.woody5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-sun4u", reference:"26woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-sun4u-smp", reference:"26woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.19-mips", reference:"2.4.19-0.020911.1.woody5")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-source-2.4.19", reference:"2.4.19-4.woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"mips-tools", reference:"2.4.19-0.020911.1.woody5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-505.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 2.1. This is the sixth regular update. The Linux kernel handles the basic functions of the operating system. This is the sixth regular kernel update to Red Hat Enterprise Linux version 2.1. It updates a number of device drivers, and adds much improved SATA support. This update includes fixes for several security issues : Paul Starzetz of iSEC discovered various flaws in the ELF binary loader affecting kernels prior to 2.4.28. A local user could use these flaws to gain read access to executable-only binaries or possibly gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, and CVE-2004-1073 to these issues. A missing serialization flaw in unix_dgram_recvmsg was discovered that affects kernels prior to 2.4.28. A local user could potentially make use of a race condition in order to gain privileges. (CVE-2004-1068) Stefan Esser discovered various flaws including buffer overflows in the smbfs driver affecting kernels before 2.4.28. A local user may be able to cause a denial of service (crash) or possibly gain privileges. In order to exploit these flaws the user would need to have control of a connected smb server. (CVE-2004-0883, CVE-2004-0949) Conectiva discovered flaws in certain USB drivers affecting kernels before 2.4.27 which used the copy_to_user function on uninitialized structures. These flaws could allow local users to read small amounts of kernel memory. (CVE-2004-0685) The ext3 code in kernels before 2.4.26 did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CVE-2004-0177) The following drivers have also been updated : * tg3 v3.10 * e1000 v5.3.19-k2 * e100 v3.0.27-k2 * megaraid * megaraid2 v2.10.8.2 All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen2020-06-01
    modified2020-06-02
    plugin id15958
    published2004-12-14
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15958
    titleRHEL 2.1 : kernel (RHSA-2004:505)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:505. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15958);
      script_version ("1.27");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-0136", "CVE-2004-0177", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073");
      script_xref(name:"RHSA", value:"2004:505");
    
      script_name(english:"RHEL 2.1 : kernel (RHSA-2004:505)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages are now available as part of ongoing support
    and maintenance of Red Hat Enterprise Linux version 2.1. This is the
    sixth regular update.
    
    The Linux kernel handles the basic functions of the operating system.
    
    This is the sixth regular kernel update to Red Hat Enterprise Linux
    version 2.1. It updates a number of device drivers, and adds much
    improved SATA support.
    
    This update includes fixes for several security issues :
    
    Paul Starzetz of iSEC discovered various flaws in the ELF binary
    loader affecting kernels prior to 2.4.28. A local user could use these
    flaws to gain read access to executable-only binaries or possibly gain
    privileges. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the names CVE-2004-1070, CVE-2004-1071,
    CVE-2004-1072, and CVE-2004-1073 to these issues.
    
    A missing serialization flaw in unix_dgram_recvmsg was discovered that
    affects kernels prior to 2.4.28. A local user could potentially make
    use of a race condition in order to gain privileges. (CVE-2004-1068)
    
    Stefan Esser discovered various flaws including buffer overflows in
    the smbfs driver affecting kernels before 2.4.28. A local user may be
    able to cause a denial of service (crash) or possibly gain privileges.
    In order to exploit these flaws the user would need to have control of
    a connected smb server. (CVE-2004-0883, CVE-2004-0949)
    
    Conectiva discovered flaws in certain USB drivers affecting kernels
    before 2.4.27 which used the copy_to_user function on uninitialized
    structures. These flaws could allow local users to read small amounts
    of kernel memory. (CVE-2004-0685)
    
    The ext3 code in kernels before 2.4.26 did not properly initialize
    journal descriptor blocks. A privileged local user could read portions
    of kernel memory. (CVE-2004-0177)
    
    The following drivers have also been updated :
    
    * tg3 v3.10 * e1000 v5.3.19-k2 * e100 v3.0.27-k2 * megaraid *
    megaraid2 v2.10.8.2
    
    All Red Hat Enterprise Linux 2.1 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0177"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1071"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:505"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-enterprise");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-summit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CAN-2004-0136", "CAN-2004-0177", "CAN-2004-0685", "CAN-2004-0883", "CAN-2004-0949", "CAN-2004-1068", "CAN-2004-1070", "CAN-2004-1071", "CAN-2004-1072", "CAN-2004-1073", "CVE-2004-0177", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2004:505");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:505";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-BOOT-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-debug-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-doc-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-enterprise-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-headers-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-smp-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-source-2.4.9-e.57")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-summit-2.4.9-e.57")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-debug / kernel-doc / etc");
      }
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-022.NASL
    descriptionA number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory : - Multiple race conditions in the terminal layer of 2.4 and 2.6 kernels (prior to 2.6.9) can allow a local attacker to obtain portions of kernel data or allow remote attackers to cause a kernel panic by switching from console to PPP line discipline, then quickly sending data that is received during the switch (CVE-2004-0814) - Richard Hart found an integer underflow problem in the iptables firewall logging rules that can allow a remote attacker to crash the machine by using a specially crafted IP packet. This is only possible, however, if firewalling is enabled. The problem only affects 2.6 kernels and was fixed upstream in 2.6.8 (CVE-2004-0816) - Stefan Esser found several remote DoS confitions in the smbfs file system. This could be exploited by a hostile SMB server (or an attacker injecting packets into the network) to crash the client systems (CVE-2004-0883 and CVE-2004-0949) - Paul Starzetz and Georgi Guninski reported, independently, that bad argument handling and bad integer arithmetics in the IPv4 sendmsg handling of control messages could lead to a local attacker crashing the machine. The fixes were done by Herbert Xu (CVE-2004-1016) - Rob Landley discovered a race condition in the handling of /proc/.../cmdline where, under rare circumstances, a user could read the environment variables of another process that was still spawning leading to the potential disclosure of sensitive information such as passwords (CVE-2004-1058) - Paul Starzetz reported that the missing serialization in unix_dgram_recvmsg() which was added to kernel 2.4.28 can be used by a local attacker to gain elevated (root) privileges (CVE-2004-1068) - Ross Kendall Axe discovered a possible kernel panic (DoS) while sending AF_UNIX network packets if certain SELinux-related kernel options were enabled. By default the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX options are not enabled (CVE-2004-1069) - Paul Starzetz of isec.pl discovered several issues with the error handling of the ELF loader routines in the kernel. The fixes were provided by Chris Wright (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, CVE-2004-1073) - It was discovered that hand-crafted a.out binaries could be used to trigger a local DoS condition in both the 2.4 and 2.6 kernels. The fixes were done by Chris Wright (CVE-2004-1074) - Paul Starzetz found bad handling in the IGMP code which could lead to a local attacker being able to crash the machine. The fix was done by Chris Wright (CVE-2004-1137) - Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall() and sys32_vm86_warning() functions that could be used to overwrite kernel memory with attacker-supplied code resulting in privilege escalation (CVE-2004-1151) - Paul Starzetz found locally exploitable flaws in the binary format loader
    last seen2020-06-01
    modified2020-06-02
    plugin id16259
    published2005-01-26
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16259
    titleMandrake Linux Security Advisory : kernel (MDKSA-2005:022)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:022. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16259);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2004-0814", "CVE-2004-0816", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-1016", "CVE-2004-1057", "CVE-2004-1058", "CVE-2004-1068", "CVE-2004-1069", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1137", "CVE-2004-1151", "CVE-2004-1191", "CVE-2004-1235", "CVE-2005-0001", "CVE-2005-0003");
      script_xref(name:"MDKSA", value:"2005:022");
    
      script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with
    this advisory :
    
      - Multiple race conditions in the terminal layer of 2.4
        and 2.6 kernels (prior to 2.6.9) can allow a local
        attacker to obtain portions of kernel data or allow
        remote attackers to cause a kernel panic by switching
        from console to PPP line discipline, then quickly
        sending data that is received during the switch
        (CVE-2004-0814)
    
      - Richard Hart found an integer underflow problem in the
        iptables firewall logging rules that can allow a remote
        attacker to crash the machine by using a specially
        crafted IP packet. This is only possible, however, if
        firewalling is enabled. The problem only affects 2.6
        kernels and was fixed upstream in 2.6.8 (CVE-2004-0816)
    
      - Stefan Esser found several remote DoS confitions in the
        smbfs file system. This could be exploited by a hostile
        SMB server (or an attacker injecting packets into the
        network) to crash the client systems (CVE-2004-0883 and
        CVE-2004-0949)
    
      - Paul Starzetz and Georgi Guninski reported,
        independently, that bad argument handling and bad
        integer arithmetics in the IPv4 sendmsg handling of
        control messages could lead to a local attacker crashing
        the machine. The fixes were done by Herbert Xu
        (CVE-2004-1016)
    
      - Rob Landley discovered a race condition in the handling
        of /proc/.../cmdline where, under rare circumstances, a
        user could read the environment variables of another
        process that was still spawning leading to the potential
        disclosure of sensitive information such as passwords
        (CVE-2004-1058)
    
      - Paul Starzetz reported that the missing serialization in
        unix_dgram_recvmsg() which was added to kernel 2.4.28
        can be used by a local attacker to gain elevated (root)
        privileges (CVE-2004-1068)
    
      - Ross Kendall Axe discovered a possible kernel panic
        (DoS) while sending AF_UNIX network packets if certain
        SELinux-related kernel options were enabled. By default
        the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX
        options are not enabled (CVE-2004-1069)
    
      - Paul Starzetz of isec.pl discovered several issues with
        the error handling of the ELF loader routines in the
        kernel. The fixes were provided by Chris Wright
        (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072,
        CVE-2004-1073)
    
      - It was discovered that hand-crafted a.out binaries could
        be used to trigger a local DoS condition in both the 2.4
        and 2.6 kernels. The fixes were done by Chris Wright
        (CVE-2004-1074)
    
      - Paul Starzetz found bad handling in the IGMP code which
        could lead to a local attacker being able to crash the
        machine. The fix was done by Chris Wright
        (CVE-2004-1137)
    
      - Jeremy Fitzhardinge discovered two buffer overflows in
        the sys32_ni_syscall() and sys32_vm86_warning()
        functions that could be used to overwrite kernel memory
        with attacker-supplied code resulting in privilege
        escalation (CVE-2004-1151)
    
      - Paul Starzetz found locally exploitable flaws in the
        binary format loader's uselib() function that could be
        abused to allow a local user to obtain root privileges
        (CVE-2004-1235)
    
      - Paul Starzetz found an exploitable flaw in the page
        fault handler when running on SMP machines
        (CVE-2005-0001)
    
      - A vulnerability in insert_vm_struct could allow a locla
        user to trigger BUG() when the user created a large vma
        that overlapped with arg pages during exec
        (CVE-2005-0003)
    
      - Paul Starzetz also found a number of vulnerabilities in
        the kernel binfmt_elf loader that could lead a local
        user to obtain elevated (root) privileges
        (isec-0017-binfmt_elf)
    
    The provided packages are patched to fix these vulnerabilities. All
    users are encouraged to upgrade to these updated kernels.
    
    To update your kernel, please follow the directions located at :
    
    http://www.mandrakesoft.com/security/kernelupdate
    
    PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the
    latest module-init-tools package prior to upgrading their kernel.
    Likewise, MNF8.2 users will need to upgrade to the latest modutils
    package prior to upgrading their kernel."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://isec.pl/en/vulnerabilities/isec-0017-binfmt_elf.txt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1222.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.22.41mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.25.13mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.28.0.rc1.5mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.3.25mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.8.1.24mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.22.41mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.25.13mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.28.0.rc1.5mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.3.25mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.8.1.24mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.4.28.0.rc1.5mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.8.1.24mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.22.41mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.25.13mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.3.25mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-64GB-2.6.8.1.24mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.22.41mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.25.13mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.6.3.25mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.4.22.41mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.6.3.25mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.6.8.1.24mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.22.41mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.25.13mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.28.0.rc1.5mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.3.25mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.8.1.24mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:module-init-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", reference:"kernel-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-secure-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-smp-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-smp-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-source-2.4.25-13mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-source-stripped-2.6.3-25mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"module-init-tools-3.0-1.2.1.100mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.1", reference:"kernel-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-enterprise-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-enterprise-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i586-up-1GB-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i586-up-1GB-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i686-up-64GB-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-secure-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-smp-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-smp-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-source-2.4-2.4.28-0.rc1.5mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-source-2.6-2.6.8.1-24mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-source-stripped-2.6-2.6.8.1-24mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.2", reference:"kernel-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-enterprise-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", reference:"kernel-secure-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", reference:"kernel-smp-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", reference:"kernel-source-2.4.22-41mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1069.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.18-14.4 Alpha architecture 2.4.18-15woody1 Intel IA-32 architecture 2.4.18-13.2 HP Precision architecture 62.4 PowerPC architecture 2.4.18-1woody6 PowerPC architecture/XFS 20020329woody1 PowerPC architecture/benh 20020304woody1 Sun Sparc architecture 22woody1
    last seen2020-06-01
    modified2020-06-02
    plugin id22611
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22611
    titleDebian DSA-1069-1 : kernel-source-2.4.18 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1069. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22611);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504");
      script_xref(name:"DSA", value:"1069");
    
      script_name(english:"Debian DSA-1069-1 : kernel-source-2.4.18 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several local and remote vulnerabilities have been discovered in the
    Linux kernel that may lead to a denial of service or the execution of
    arbitrary code. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CVE-2004-0427
        A local denial of service vulnerability in do_fork() has
        been found.
    
      - CVE-2005-0489
        A local denial of service vulnerability in proc memory
        handling has been found.
    
      - CVE-2004-0394
        A buffer overflow in the panic handling code has been
        found.
    
      - CVE-2004-0447
        A local denial of service vulnerability through a NULL
        pointer dereference in the IA64 process handling code
        has been found.
    
      - CVE-2004-0554
        A local denial of service vulnerability through an
        infinite loop in the signal handler code has been found.
    
      - CVE-2004-0565
        An information leak in the context switch code has been
        found on the IA64 architecture.
    
      - CVE-2004-0685
        Unsafe use of copy_to_user in USB drivers may disclose
        sensitive information.
    
      - CVE-2005-0001
        A race condition in the i386 page fault handler may
        allow privilege escalation.
    
      - CVE-2004-0883
        Multiple vulnerabilities in the SMB filesystem code may
        allow denial of service or information disclosure.
    
      - CVE-2004-0949
        An information leak discovered in the SMB filesystem
        code.
    
      - CVE-2004-1016
        A local denial of service vulnerability has been found
        in the SCM layer.
    
      - CVE-2004-1333
        An integer overflow in the terminal code may allow a
        local denial of service vulnerability.
    
      - CVE-2004-0997
        A local privilege escalation in the MIPS assembly code
        has been found.
    
      - CVE-2004-1335
        A memory leak in the ip_options_get() function may lead
        to denial of service.
    
      - CVE-2004-1017
        Multiple overflows exist in the io_edgeport driver which
        might be usable as a denial of service attack vector.
    
      - CVE-2005-0124
        Bryan Fulton reported a bounds checking bug in the
        coda_pioctl function which may allow local users to
        execute arbitrary code or trigger a denial of service
        attack.
    
      - CVE-2003-0984
        Inproper initialization of the RTC may disclose
        information.
    
      - CVE-2004-1070
        Insufficient input sanitising in the load_elf_binary()
        function may lead to privilege escalation.
    
      - CVE-2004-1071
        Incorrect error handling in the binfmt_elf loader may
        lead to privilege escalation.
    
      - CVE-2004-1072
        A buffer overflow in the binfmt_elf loader may lead to
        privilege escalation or denial of service.
    
      - CVE-2004-1073
        The open_exec function may disclose information.
    
      - CVE-2004-1074
        The binfmt code is vulnerable to denial of service
        through malformed a.out binaries.
    
      - CVE-2004-0138
        A denial of service vulnerability in the ELF loader has
        been found.
    
      - CVE-2004-1068
        A programming error in the unix_dgram_recvmsg() function
        may lead to privilege escalation.
    
      - CVE-2004-1234
        The ELF loader is vulnerable to denial of service
        through malformed binaries.
    
      - CVE-2005-0003
        Crafted ELF binaries may lead to privilege escalation,
        due to insufficient checking of overlapping memory
        regions.
    
      - CVE-2004-1235
        A race condition in the load_elf_library() and
        binfmt_aout() functions may allow privilege escalation.
    
      - CVE-2005-0504
        An integer overflow in the Moxa driver may lead to
        privilege escalation.
    
      - CVE-2005-0384
        A remote denial of service vulnerability has been found
        in the PPP driver.
    
      - CVE-2005-0135
        An IA64 specific local denial of service vulnerability
        has been found in the unw_unwind_to_user() function.
    
    The following matrix explains which kernel version for which
    architecture fixes the problems mentioned above :
    
                                       Debian 3.0 (woody)               
      Source                           2.4.18-14.4                      
      Alpha architecture               2.4.18-15woody1                  
      Intel IA-32 architecture         2.4.18-13.2                      
      HP Precision architecture        62.4                             
      PowerPC architecture             2.4.18-1woody6                   
      PowerPC architecture/XFS         20020329woody1                   
      PowerPC architecture/benh        20020304woody1                   
      Sun Sparc architecture           22woody1"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0394"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0447"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0554"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0565"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1016"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1333"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0997"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1017"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0124"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2003-0984"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1071"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-0138"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1234"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0003"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2004-1235"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-0135"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1069"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the kernel package immediately and reboot the machine."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-alpha");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-hppa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-powerpc-xfs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.18-powerpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-benh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.18");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/05/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.18", reference:"2.4.18-14.4")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18", reference:"2.4.18-1woody6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-386", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-586tsc", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-686", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-686-smp", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-generic", reference:"2.4.18-15woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-k6", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-k7", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-smp", reference:"2.4.18-15woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-386", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-586tsc", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-686", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-686-smp", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-generic", reference:"2.4.18-15woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-k6", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-k7", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-smp", reference:"2.4.18-15woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-newpmac", reference:"2.4.18-1woody6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-powerpc", reference:"2.4.18-1woody6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-powerpc-smp", reference:"2.4.18-1woody6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-powerpc-xfs", reference:"20020329woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.18-powerpc", reference:"2.4.18-1woody6")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-patch-benh", reference:"20020304woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-386", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-586tsc", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-686", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-686-smp", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-k6", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-k7", reference:"2.4.18-13.2")) flag++;
    if (deb_check(release:"3.0", prefix:"kernel-source-2.4.18", reference:"2.4.18-14.4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Oval

accepted2013-04-29T04:04:58.814-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionThe smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times.
familyunix
idoval:org.mitre.oval:def:10360
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times.
version26

Redhat

advisories
  • rhsa
    idRHSA-2004:504
  • rhsa
    idRHSA-2004:505
  • rhsa
    idRHSA-2004:537
rpms
  • kernel-0:2.4.21-20.0.1.EL
  • kernel-BOOT-0:2.4.21-20.0.1.EL
  • kernel-debuginfo-0:2.4.21-20.0.1.EL
  • kernel-doc-0:2.4.21-20.0.1.EL
  • kernel-hugemem-0:2.4.21-20.0.1.EL
  • kernel-hugemem-unsupported-0:2.4.21-20.0.1.EL
  • kernel-smp-0:2.4.21-20.0.1.EL
  • kernel-smp-unsupported-0:2.4.21-20.0.1.EL
  • kernel-source-0:2.4.21-20.0.1.EL
  • kernel-unsupported-0:2.4.21-20.0.1.EL