Vulnerabilities > CVE-2004-1074 - Local Denial Of Service And Memory Disclosure vulnerability in Linux Kernel

CVSS 2.1 - LOW

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

local

low complexity

nessus

exploit available

NVD

Published: 2005-01-10

Updated: 2017-10-11

Summary

The binfmt functionality in the Linux kernel, when "memory overcommit" is enabled, allows local users to cause a denial of service (kernel oops) via a malformed a.out binary.

Vulnerable Configurations

Part	Description	Count
OS	Linux Linux Linux Kernel 2.4.0 Linux Linux Kernel 2.4.1 Linux Linux Kernel 2.4.2 Linux Linux Kernel 2.4.3 Linux Linux Kernel 2.4.4 Linux Linux Kernel 2.4.5 Linux Linux Kernel 2.4.6 Linux Linux Kernel 2.4.7 Linux Linux Kernel 2.4.8 Linux Linux Kernel 2.4.9 Linux Linux Kernel 2.4.10 Linux Linux Kernel 2.4.11 Linux Linux Kernel 2.4.12 Linux Linux Kernel 2.4.13 Linux Linux Kernel 2.4.14 Linux Linux Kernel 2.4.15 Linux Linux Kernel 2.4.16 Linux Linux Kernel 2.4.17 Linux Linux Kernel 2.4.18 Linux Linux Kernel 2.4.19 Linux Linux Kernel 2.4.20 Linux Linux Kernel 2.4.21 Linux Linux Kernel 2.4.22 Linux Linux Kernel 2.4.23 Linux Linux Kernel 2.4.23_Ow2 Linux Linux Kernel 2.4.24 Linux Linux Kernel 2.4.24_Ow1 Linux Linux Kernel 2.4.25 Linux Linux Kernel 2.4.26 Linux Linux Kernel 2.4.27 Linux Linux Kernel 2.6.0 Linux Linux Kernel 2.6.1 Linux Linux Kernel 2.6.2 Linux Linux Kernel 2.6.3 Linux Linux Kernel 2.6.4 Linux Linux Kernel 2.6.5 Linux Linux Kernel 2.6.6 Linux Linux Kernel 2.6.7 Linux Linux Kernel 2.6.8 Linux Linux Kernel 2.6.9 Linux Linux Kernel 2.6_Test9_Cvs	95
OS	Redhat Redhat Enterprise Linux 2.1 Redhat Enterprise Linux 3.0 Redhat Enterprise Linux Desktop 3.0 Redhat Fedora Core Core_2.0 Redhat Fedora Core Core_3.0 Redhat Linux Advanced Workstation 2.1	14
OS	Suse Suse Suse Linux 1.0 Suse Suse Linux 8 Suse Suse Linux 8.1 Suse Suse Linux 8.2 Suse Suse Linux 9.0 Suse Suse Linux 9.1 Suse Suse Linux 9.2	9
OS	Trustix Trustix Secure Linux 1.5 Trustix Secure Linux 2.0 Trustix Secure Linux 2.1 Trustix Secure Linux 2.2	4
OS	Turbolinux Turbolinux Turbolinux Server 10.0	1

Exploit-Db

description	Linux Kernel 2.4.x/2.6.x Local Denial Of Service And Memory Disclosure Vulnerabilities. CVE-2004-1074. Dos exploit for linux platform
id	EDB-ID:24777
last seen	2016-02-03
modified	2004-11-25
published	2004-11-25
reporter	Florian Heinz
source	https://www.exploit-db.com/download/24777/
title	Linux Kernel 2.4.x / 2.6.x - Local Denial of Service And Memory Disclosure Vulnerabilities

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1067.NASL
description	Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.16-1woody2 arm/lart 20040419woody1 arm/netwinder 20040419woody1 arm/riscpc 20040419woody1
last seen	2020-06-01
modified	2020-06-02
plugin id	22609
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22609
title	Debian DSA-1067-1 : kernel-source-2.4.16 - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1067. The text # itself is copyright (C) Software in the Public Interest, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(22609); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504"); script_xref(name:"DSA", value:"1067"); script_name(english:"Debian DSA-1067-1 : kernel-source-2.4.16 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.16-1woody2 arm/lart 20040419woody1 arm/netwinder 20040419woody1 arm/riscpc 20040419woody1" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0427" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0489" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0394" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0447" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0554" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0565" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0685" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0001" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0883" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0949" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1016" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1333" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0997" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1335" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1017" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0124" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2003-0984" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1070" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1071" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1072" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1073" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1074" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0138" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1068" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1234" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0003" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1235" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0504" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0384" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0135" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1067" ); script_set_attribute( attribute:"solution", value:"Upgrade the kernel package immediately and reboot the machine." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.16-lart"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.16-netwinder"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.16-riscpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.16"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.16", reference:"2.4.16-1woody3")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.16", reference:"20040419woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.16-lart", reference:"20040419woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.16-netwinder", reference:"20040419woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.16-riscpc", reference:"20040419woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-source-2.4.16", reference:"2.4.16-1woody3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1082.NASL
description	Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.1 (sarge) Source 2.4.17-1woody4 HP Precision architecture 32.5 Intel IA-64 architecture 011226.18 IBM S/390 architecture/image 2.4.17-2.woody.5 IBM S/390 architecture/patch 0.0.20020816-0.woody.4 PowerPC architecture (apus) 2.4.17-6 MIPS architecture 2.4.17-0.020226.2.woody7
last seen	2020-06-01
modified	2020-06-02
plugin id	22624
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22624
title	Debian DSA-1082-1 : kernel-source-2.4.17 - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1082. The text # itself is copyright (C) Software in the Public Interest, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(22624); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504"); script_xref(name:"DSA", value:"1082"); script_name(english:"Debian DSA-1082-1 : kernel-source-2.4.17 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.1 (sarge) Source 2.4.17-1woody4 HP Precision architecture 32.5 Intel IA-64 architecture 011226.18 IBM S/390 architecture/image 2.4.17-2.woody.5 IBM S/390 architecture/patch 0.0.20020816-0.woody.4 PowerPC architecture (apus) 2.4.17-6 MIPS architecture 2.4.17-0.020226.2.woody7" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0427" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0489" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0394" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0447" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0554" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0565" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0685" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0001" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0883" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0949" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1016" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1333" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0997" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1335" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1017" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0124" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2003-0984" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1070" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1071" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1072" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1073" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1074" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0138" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1068" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1234" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0003" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1235" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0504" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0384" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0135" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1082" ); script_set_attribute( attribute:"solution", value:"Upgrade the kernel package immediately and reboot the machine." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-hppa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-ia64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-s390"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-apus"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-mips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-s390"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.17"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.17", reference:"2.4.17-1woody4")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17", reference:"2.4.17-2.woody.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17-apus", reference:"2.4.17-6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17-hppa", reference:"32.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.17-ia64", reference:"011226.18")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-32", reference:"32.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-32-smp", reference:"32.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-64", reference:"32.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-64-smp", reference:"32.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-apus", reference:"2.4.17-6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-itanium", reference:"011226.18")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-itanium-smp", reference:"011226.18")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-mckinley", reference:"011226.18")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-mckinley-smp", reference:"011226.18")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r3k-kn02", reference:"2.4.17-0.020226.2.woody7")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r4k-ip22", reference:"2.4.17-0.020226.2.woody7")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r4k-kn04", reference:"2.4.17-0.020226.2.woody7")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-r5k-ip22", reference:"2.4.17-0.020226.2.woody7")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.17-s390", reference:"2.4.17-2.woody.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-apus", reference:"2.4.17-6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.17-apus", reference:"2.4.17-6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.17-mips", reference:"2.4.17-0.020226.2.woody7")) flag++; if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.17-s390", reference:"0.0.20020816-0.woody.4")) flag++; if (deb_check(release:"3.0", prefix:"kernel-source-2.4.17", reference:"2.4.17-1woody4")) flag++; if (deb_check(release:"3.0", prefix:"kernel-source-2.4.17-hppa", reference:"32.5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-source-2.4.17-ia64", reference:"011226.18")) flag++; if (deb_check(release:"3.0", prefix:"mips-tools", reference:"2.4.17-0.020226.2.woody7")) flag++; if (deb_check(release:"3.0", prefix:"mkcramfs", reference:"2.4.17-1woody3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1070.NASL
description	Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.19-4 Sun Sparc architecture 26woody1 Little endian MIPS architecture 0.020911.1.woody5
last seen	2020-06-01
modified	2020-06-02
plugin id	22612
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22612
title	Debian DSA-1070-1 : kernel-source-2.4.19 - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1070. The text # itself is copyright (C) Software in the Public Interest, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(22612); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504"); script_xref(name:"DSA", value:"1070"); script_name(english:"Debian DSA-1070-1 : kernel-source-2.4.19 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.19-4 Sun Sparc architecture 26woody1 Little endian MIPS architecture 0.020911.1.woody5" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0427" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0489" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0394" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0447" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0554" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0565" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0685" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0001" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0883" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0949" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1016" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1333" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0997" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1335" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1017" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0124" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2003-0984" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1070" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1071" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1072" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1073" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1074" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0138" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1068" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1234" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0003" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1235" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0504" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0384" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0135" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1070" ); script_set_attribute( attribute:"solution", value:"Upgrade the kernel package immediately and reboot the machine." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-sparc-2.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.19-mips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.19"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.19", reference:"2.4.19-4.woody3")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-sparc", reference:"22woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.19", reference:"2.4.19-0.020911.1.woody5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.19-sparc", reference:"26woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-sun4u", reference:"22woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-sun4u-smp", reference:"22woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-r4k-ip22", reference:"2.4.19-0.020911.1.woody5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-r5k-ip22", reference:"2.4.19-0.020911.1.woody5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-sun4u", reference:"26woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.19-sun4u-smp", reference:"26woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.19-mips", reference:"2.4.19-0.020911.1.woody5")) flag++; if (deb_check(release:"3.0", prefix:"kernel-source-2.4.19", reference:"2.4.19-4.woody3")) flag++; if (deb_check(release:"3.0", prefix:"mips-tools", reference:"2.4.19-0.020911.1.woody5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-39-1.NASL
description	USN-30-1 fixed several flaws in the Linux ELF binary loader
last seen	2020-06-01
modified	2020-06-02
plugin id	20655
published	2006-01-15
reporter	Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20655
title	Ubuntu 4.10 : linux-source-2.6.8.1 vulnerability (USN-39-1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-39-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20655); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2004-1074"); script_xref(name:"USN", value:"39-1"); script_name(english:"Ubuntu 4.10 : linux-source-2.6.8.1 vulnerability (USN-39-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "USN-30-1 fixed several flaws in the Linux ELF binary loader's handling of setuid binaries. Unfortunately it was found that these patches were not sufficient to prevent all possible attacks on 64-bit platforms, so previous amd64 kernel images were still vulnerable to root privilege escalation if setuid binaries were run under certain conditions. This issue does not affect the i386 and powerpc platforms. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.8.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-686-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-k8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-k8-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-4-amd64-xeon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-686-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-k8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-k8-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-4-amd64-xeon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-patch-debian-2.6.8.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.8.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"linux-doc-2.6.8.1", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-386", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-686", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-686-smp", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-generic", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-k8", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-k8-smp", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-headers-2.6.8.1-4-amd64-xeon", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-386", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-686", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-686-smp", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-generic", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-k8", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-k8-smp", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-image-2.6.8.1-4-amd64-xeon", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-patch-debian-2.6.8.1", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-source-2.6.8.1", pkgver:"2.6.8.1-16.4")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"linux-tree-2.6.8.1", pkgver:"2.6.8.1-16.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc-2.6.8.1 / linux-headers-2.6.8.1-4 / etc"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2005-043.NASL
description	Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues : iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1235 to this issue. A flaw was discovered where an executable could cause a VMA overlap leading to a crash. A local user could trigger this flaw by creating a carefully crafted a.out binary on 32-bit systems or a carefully crafted ELF binary on Itanium systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0003 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0001 to this issue. A patch that coincidentally fixed this issue was committed to the Update 4 kernel release in December 2004. Therefore Red Hat Enterprise Linux 3 kernels provided by RHBA-2004:550 and subsequent updates are not vulnerable to this issue. A flaw in the system call filtering code in the audit subsystem included in Red Hat Enterprise Linux 3 allowed a local user to cause a crash when auditing was enabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1237 to this issue. Olaf Kirch discovered that the recent security fixes for cmsg_len handling (CVE-2004-1016) broke 32-bit compatibility on 64-bit platforms such as AMD64 and Intel EM64T. A patch to correct this issue is included. A recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
last seen	2020-06-01
modified	2020-06-02
plugin id	16211
published	2005-01-19
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/16211
title	RHEL 3 : kernel (RHSA-2005:043)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:043. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(16211); script_version ("1.34"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0791", "CVE-2004-1074", "CVE-2004-1235", "CVE-2004-1237", "CVE-2005-0001", "CVE-2005-0003"); script_bugtraq_id(13124); script_xref(name:"RHSA", value:"2005:043"); script_name(english:"RHEL 3 : kernel (RHSA-2005:043)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues : iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1235 to this issue. A flaw was discovered where an executable could cause a VMA overlap leading to a crash. A local user could trigger this flaw by creating a carefully crafted a.out binary on 32-bit systems or a carefully crafted ELF binary on Itanium systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0003 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0001 to this issue. A patch that coincidentally fixed this issue was committed to the Update 4 kernel release in December 2004. Therefore Red Hat Enterprise Linux 3 kernels provided by RHBA-2004:550 and subsequent updates are not vulnerable to this issue. A flaw in the system call filtering code in the audit subsystem included in Red Hat Enterprise Linux 3 allowed a local user to cause a crash when auditing was enabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1237 to this issue. Olaf Kirch discovered that the recent security fixes for cmsg_len handling (CVE-2004-1016) broke 32-bit compatibility on 64-bit platforms such as AMD64 and Intel EM64T. A patch to correct this issue is included. A recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0791" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1074" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1235" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1237" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0003" ); # http://marc.theaimsgroup.com/?m=109503896031720 script_set_attribute( attribute:"see_also", value:"https://marc.info/?m=109503896031720" ); # http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt script_set_attribute( attribute:"see_also", value:"https://isec.pl/en/vulnerabilities/isec-0021-uselib.txt" ); # http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt script_set_attribute( attribute:"see_also", value:"https://isec.pl/en/vulnerabilities/isec-0022-pagefault.txt" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:043" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-unsupported"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2004-0791", "CVE-2004-1074", "CVE-2004-1235", "CVE-2004-1237", "CVE-2005-0001", "CVE-2005-0003"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2005:043"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:043"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"kernel-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i386", reference:"kernel-BOOT-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-doc-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-unsupported-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-unsupported-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-unsupported-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-source-2.4.21-27.0.2.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-unsupported-2.4.21-27.0.2.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc"); } }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-022.NASL
description	A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory : - Multiple race conditions in the terminal layer of 2.4 and 2.6 kernels (prior to 2.6.9) can allow a local attacker to obtain portions of kernel data or allow remote attackers to cause a kernel panic by switching from console to PPP line discipline, then quickly sending data that is received during the switch (CVE-2004-0814) - Richard Hart found an integer underflow problem in the iptables firewall logging rules that can allow a remote attacker to crash the machine by using a specially crafted IP packet. This is only possible, however, if firewalling is enabled. The problem only affects 2.6 kernels and was fixed upstream in 2.6.8 (CVE-2004-0816) - Stefan Esser found several remote DoS confitions in the smbfs file system. This could be exploited by a hostile SMB server (or an attacker injecting packets into the network) to crash the client systems (CVE-2004-0883 and CVE-2004-0949) - Paul Starzetz and Georgi Guninski reported, independently, that bad argument handling and bad integer arithmetics in the IPv4 sendmsg handling of control messages could lead to a local attacker crashing the machine. The fixes were done by Herbert Xu (CVE-2004-1016) - Rob Landley discovered a race condition in the handling of /proc/.../cmdline where, under rare circumstances, a user could read the environment variables of another process that was still spawning leading to the potential disclosure of sensitive information such as passwords (CVE-2004-1058) - Paul Starzetz reported that the missing serialization in unix_dgram_recvmsg() which was added to kernel 2.4.28 can be used by a local attacker to gain elevated (root) privileges (CVE-2004-1068) - Ross Kendall Axe discovered a possible kernel panic (DoS) while sending AF_UNIX network packets if certain SELinux-related kernel options were enabled. By default the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX options are not enabled (CVE-2004-1069) - Paul Starzetz of isec.pl discovered several issues with the error handling of the ELF loader routines in the kernel. The fixes were provided by Chris Wright (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, CVE-2004-1073) - It was discovered that hand-crafted a.out binaries could be used to trigger a local DoS condition in both the 2.4 and 2.6 kernels. The fixes were done by Chris Wright (CVE-2004-1074) - Paul Starzetz found bad handling in the IGMP code which could lead to a local attacker being able to crash the machine. The fix was done by Chris Wright (CVE-2004-1137) - Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall() and sys32_vm86_warning() functions that could be used to overwrite kernel memory with attacker-supplied code resulting in privilege escalation (CVE-2004-1151) - Paul Starzetz found locally exploitable flaws in the binary format loader
last seen	2020-06-01
modified	2020-06-02
plugin id	16259
published	2005-01-26
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/16259
title	Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:022. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(16259); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0814", "CVE-2004-0816", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-1016", "CVE-2004-1057", "CVE-2004-1058", "CVE-2004-1068", "CVE-2004-1069", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1137", "CVE-2004-1151", "CVE-2004-1191", "CVE-2004-1235", "CVE-2005-0001", "CVE-2005-0003"); script_xref(name:"MDKSA", value:"2005:022"); script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory : - Multiple race conditions in the terminal layer of 2.4 and 2.6 kernels (prior to 2.6.9) can allow a local attacker to obtain portions of kernel data or allow remote attackers to cause a kernel panic by switching from console to PPP line discipline, then quickly sending data that is received during the switch (CVE-2004-0814) - Richard Hart found an integer underflow problem in the iptables firewall logging rules that can allow a remote attacker to crash the machine by using a specially crafted IP packet. This is only possible, however, if firewalling is enabled. The problem only affects 2.6 kernels and was fixed upstream in 2.6.8 (CVE-2004-0816) - Stefan Esser found several remote DoS confitions in the smbfs file system. This could be exploited by a hostile SMB server (or an attacker injecting packets into the network) to crash the client systems (CVE-2004-0883 and CVE-2004-0949) - Paul Starzetz and Georgi Guninski reported, independently, that bad argument handling and bad integer arithmetics in the IPv4 sendmsg handling of control messages could lead to a local attacker crashing the machine. The fixes were done by Herbert Xu (CVE-2004-1016) - Rob Landley discovered a race condition in the handling of /proc/.../cmdline where, under rare circumstances, a user could read the environment variables of another process that was still spawning leading to the potential disclosure of sensitive information such as passwords (CVE-2004-1058) - Paul Starzetz reported that the missing serialization in unix_dgram_recvmsg() which was added to kernel 2.4.28 can be used by a local attacker to gain elevated (root) privileges (CVE-2004-1068) - Ross Kendall Axe discovered a possible kernel panic (DoS) while sending AF_UNIX network packets if certain SELinux-related kernel options were enabled. By default the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX options are not enabled (CVE-2004-1069) - Paul Starzetz of isec.pl discovered several issues with the error handling of the ELF loader routines in the kernel. The fixes were provided by Chris Wright (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, CVE-2004-1073) - It was discovered that hand-crafted a.out binaries could be used to trigger a local DoS condition in both the 2.4 and 2.6 kernels. The fixes were done by Chris Wright (CVE-2004-1074) - Paul Starzetz found bad handling in the IGMP code which could lead to a local attacker being able to crash the machine. The fix was done by Chris Wright (CVE-2004-1137) - Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall() and sys32_vm86_warning() functions that could be used to overwrite kernel memory with attacker-supplied code resulting in privilege escalation (CVE-2004-1151) - Paul Starzetz found locally exploitable flaws in the binary format loader's uselib() function that could be abused to allow a local user to obtain root privileges (CVE-2004-1235) - Paul Starzetz found an exploitable flaw in the page fault handler when running on SMP machines (CVE-2005-0001) - A vulnerability in insert_vm_struct could allow a locla user to trigger BUG() when the user created a large vma that overlapped with arg pages during exec (CVE-2005-0003) - Paul Starzetz also found a number of vulnerabilities in the kernel binfmt_elf loader that could lead a local user to obtain elevated (root) privileges (isec-0017-binfmt_elf) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesoft.com/security/kernelupdate PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the latest module-init-tools package prior to upgrading their kernel. Likewise, MNF8.2 users will need to upgrade to the latest modutils package prior to upgrading their kernel." ); script_set_attribute( attribute:"see_also", value:"https://isec.pl/en/vulnerabilities/isec-0017-binfmt_elf.txt" ); script_set_attribute( attribute:"see_also", value:"http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt" ); script_set_attribute( attribute:"see_also", value:"http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1222.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.22.41mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.25.13mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.28.0.rc1.5mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.3.25mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.8.1.24mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.22.41mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.25.13mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.28.0.rc1.5mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.3.25mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.8.1.24mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.4.28.0.rc1.5mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.8.1.24mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.22.41mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.25.13mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.3.25mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-64GB-2.6.8.1.24mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.22.41mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.25.13mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.6.3.25mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.4.22.41mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.6.3.25mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.6.8.1.24mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.22.41mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.25.13mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.28.0.rc1.5mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.3.25mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.8.1.24mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:module-init-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"kernel-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-secure-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-smp-2.4.25.13mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-smp-2.6.3.25mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-source-2.4.25-13mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-source-stripped-2.6.3-25mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"module-init-tools-3.0-1.2.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-enterprise-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-enterprise-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i586-up-1GB-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i586-up-1GB-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i686-up-64GB-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-secure-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-smp-2.4.28.0.rc1.5mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-smp-2.6.8.1.24mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-source-2.4-2.4.28-0.rc1.5mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-source-2.6-2.6.8.1-24mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-source-stripped-2.6-2.6.8.1-24mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-enterprise-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-secure-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-smp-2.4.22.41mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-source-2.4.22-41mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1069.NASL
description	Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.18-14.4 Alpha architecture 2.4.18-15woody1 Intel IA-32 architecture 2.4.18-13.2 HP Precision architecture 62.4 PowerPC architecture 2.4.18-1woody6 PowerPC architecture/XFS 20020329woody1 PowerPC architecture/benh 20020304woody1 Sun Sparc architecture 22woody1
last seen	2020-06-01
modified	2020-06-02
plugin id	22611
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22611
title	Debian DSA-1069-1 : kernel-source-2.4.18 - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1069. The text # itself is copyright (C) Software in the Public Interest, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(22611); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2003-0984", "CVE-2004-0138", "CVE-2004-0394", "CVE-2004-0427", "CVE-2004-0447", "CVE-2004-0554", "CVE-2004-0565", "CVE-2004-0685", "CVE-2004-0883", "CVE-2004-0949", "CVE-2004-0997", "CVE-2004-1016", "CVE-2004-1017", "CVE-2004-1068", "CVE-2004-1070", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1073", "CVE-2004-1074", "CVE-2004-1234", "CVE-2004-1235", "CVE-2004-1333", "CVE-2004-1335", "CVE-2005-0001", "CVE-2005-0003", "CVE-2005-0124", "CVE-2005-0135", "CVE-2005-0384", "CVE-2005-0489", "CVE-2005-0504"); script_xref(name:"DSA", value:"1069"); script_name(english:"Debian DSA-1069-1 : kernel-source-2.4.18 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.18-14.4 Alpha architecture 2.4.18-15woody1 Intel IA-32 architecture 2.4.18-13.2 HP Precision architecture 62.4 PowerPC architecture 2.4.18-1woody6 PowerPC architecture/XFS 20020329woody1 PowerPC architecture/benh 20020304woody1 Sun Sparc architecture 22woody1" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0427" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0489" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0394" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0447" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0554" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0565" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0685" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0001" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0883" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0949" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1016" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1333" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0997" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1335" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1017" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0124" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2003-0984" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1070" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1071" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1072" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1073" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1074" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-0138" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1068" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1234" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0003" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1235" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0504" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0384" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-0135" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1069" ); script_set_attribute( attribute:"solution", value:"Upgrade the kernel package immediately and reboot the machine." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-alpha"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-hppa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-powerpc-xfs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.18-powerpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-patch-benh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.4.18"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"kernel-doc-2.4.18", reference:"2.4.18-14.4")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18", reference:"2.4.18-1woody6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-386", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-586tsc", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-686", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-686-smp", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-generic", reference:"2.4.18-15woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-k6", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-k7", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-headers-2.4.18-1-smp", reference:"2.4.18-15woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-386", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-586tsc", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-686", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-686-smp", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-generic", reference:"2.4.18-15woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-k6", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-k7", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-1-smp", reference:"2.4.18-15woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-newpmac", reference:"2.4.18-1woody6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-powerpc", reference:"2.4.18-1woody6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-powerpc-smp", reference:"2.4.18-1woody6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-image-2.4.18-powerpc-xfs", reference:"20020329woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-patch-2.4.18-powerpc", reference:"2.4.18-1woody6")) flag++; if (deb_check(release:"3.0", prefix:"kernel-patch-benh", reference:"20020304woody1")) flag++; if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-386", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-586tsc", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-686", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-686-smp", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-k6", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-pcmcia-modules-2.4.18-1-k7", reference:"2.4.18-13.2")) flag++; if (deb_check(release:"3.0", prefix:"kernel-source-2.4.18", reference:"2.4.18-14.4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Oval

accepted

2013-04-29T04:21:51.717-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651

description

The binfmt functionality in the Linux kernel, when "memory overcommit" is enabled, allows local users to cause a denial of service (kernel oops) via a malformed a.out binary.

family

unix

oval:org.mitre.oval:def:9751

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

The binfmt functionality in the Linux kernel, when "memory overcommit" is enabled, allows local users to cause a denial of service (kernel oops) via a malformed a.out binary.

version

Redhat

rpms

kernel-0:2.4.21-27.0.2.EL
kernel-BOOT-0:2.4.21-27.0.2.EL
kernel-debuginfo-0:2.4.21-27.0.2.EL
kernel-doc-0:2.4.21-27.0.2.EL
kernel-hugemem-0:2.4.21-27.0.2.EL
kernel-hugemem-unsupported-0:2.4.21-27.0.2.EL
kernel-smp-0:2.4.21-27.0.2.EL
kernel-smp-unsupported-0:2.4.21-27.0.2.EL
kernel-source-0:2.4.21-27.0.2.EL
kernel-unsupported-0:2.4.21-27.0.2.EL

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

Redhat

References