Vulnerabilities > CVE-2005-0209 - Improper Input Validation vulnerability in Linux Kernel 2.6.8.1

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

linux

CWE-20

nessus

NVD

Published: 2005-05-02

Updated: 2017-10-11

Summary

Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.

Vulnerable Configurations

Part	Description	Count
OS	Linux Linux Linux Kernel 2.6.8.1	1

Common Weakness Enumeration (CWE)

CWE-20 - Improper Input Validation

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Server Side Include (SSI) Injection
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
Cross Site Scripting through Log Files
An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SA_2005_018.NASL
description	The remote host is missing the patch for the advisory SUSE-SA:2005:018 (kernel). The Linux kernel is the core component of the Linux system. Several vulnerabilities were reported in the last few weeks which are fixed by this update.
last seen	2020-06-01
modified	2020-06-02
plugin id	17617
published	2005-03-25
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/17617
title	SUSE-SA:2005:018: kernel
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2005:018 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(17617); script_version ("1.12"); script_cve_id("CVE-2004-0814", "CVE-2004-1333", "CVE-2005-0003", "CVE-2005-0209", "CVE-2005-0210", "CVE-2005-0384", "CVE-2005-0449", "CVE-2005-0504", "CVE-2005-0529", "CVE-2005-0530", "CVE-2005-0532"); name["english"] = "SUSE-SA:2005:018: kernel"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2005:018 (kernel). The Linux kernel is the core component of the Linux system. Several vulnerabilities were reported in the last few weeks which are fixed by this update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/advisories/2005_18_kernel.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(20, 119, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/25"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_end_attributes(); summary["english"] = "Check for the version of the kernel package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"k_athlon-2.4.20-131", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_deflt-2.4.20-131", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_psmp-2.4.20-131", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_smp-2.4.20-131", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-source-2.4.20.SuSE-131", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"Intel-536ep-4.62-23", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"Intel-v92ham-4.53-23", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_athlon-2.4.21-280", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_deflt-2.4.21-280", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_smp-2.4.21-280", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_smp4G-2.4.21-280", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"k_um-2.4.21-280", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-source-2.4.21-280", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"ltmodem-8.26a-212", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-bigsmp-2.6.5-7.151", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-default-2.6.5-7.151", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-smp-2.6.5-7.151", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-source-2.6.5-7.151", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-syms-2.6.5-7.151", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"ltmodem-2.6.2-38.14", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-docs-2.6.5-7.151", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"Intel-536ep-4.69-5.6", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-bigsmp-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-bigsmp-nongpl-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-default-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-default-nongpl-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-smp-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-smp-nongpl-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-source-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-syms-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-um-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-um-nongpl-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"ltmodem-8.31a8-6.6", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"um-host-install-initrd-1.0-48.6", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"um-host-kernel-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kernel-docs-2.6.8-24.13", release:"SUSE9.2") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"kernel-", release:"SUSE8.2") \|\| rpm_exists(rpm:"kernel-", release:"SUSE9.0") \|\| rpm_exists(rpm:"kernel-", release:"SUSE9.1") \|\| rpm_exists(rpm:"kernel-", release:"SUSE9.2") ) { set_kb_item(name:"CVE-2004-0814", value:TRUE); set_kb_item(name:"CVE-2004-1333", value:TRUE); set_kb_item(name:"CVE-2005-0003", value:TRUE); set_kb_item(name:"CVE-2005-0209", value:TRUE); set_kb_item(name:"CVE-2005-0210", value:TRUE); set_kb_item(name:"CVE-2005-0384", value:TRUE); set_kb_item(name:"CVE-2005-0449", value:TRUE); set_kb_item(name:"CVE-2005-0504", value:TRUE); set_kb_item(name:"CVE-2005-0529", value:TRUE); set_kb_item(name:"CVE-2005-0530", value:TRUE); set_kb_item(name:"CVE-2005-0532", value:TRUE); }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-111.NASL
description	Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following have been fixed in the 2.4 kernels : Colin Percival discovered a vulnerability in Intel
last seen	2020-06-01
modified	2020-06-02
plugin id	18599
published	2005-07-01
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18599
title	Mandrake Linux Security Advisory : kernel-2.4 (MDKSA-2005:111)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:111. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(18599); script_version ("1.23"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2005-0109", "CVE-2005-0209", "CVE-2005-0384", "CVE-2005-0400", "CVE-2005-0530", "CVE-2005-0531", "CVE-2005-0749", "CVE-2005-0750", "CVE-2005-0767", "CVE-2005-1263"); script_xref(name:"MDKSA", value:"2005:111"); script_name(english:"Mandrake Linux Security Advisory : kernel-2.4 (MDKSA-2005:111)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following have been fixed in the 2.4 kernels : Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses. This has been corrected by disabling HT support in all kernels (CVE-2005-0109). When forwarding fragmented packets, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CVE-2005-0209). A flaw in the Linux PPP driver was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CVE-2005-0384). An information leak in the ext2 filesystem code was found where when a new directory is created, the ext2 block written to disk is not initialized (CVE-2005-0400). A signedness error in the copy_from_read_buf function in n_tty.c allows local users to read kernel memory via a negative argument (CVE-2005-0530). George Guninski discovered a buffer overflow in the ATM driver where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CVE-2005-0531). A flaw when freeing a pointer in load_elf_library was found that could be abused by a local user to potentially crash the machine causing a Denial of Service (CVE-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker to gain root access or crash the machine (CVE-2005-0750). A race condition in the Radeon DRI driver allows a local user with DRI privileges to execute arbitrary code as root (CVE-2005-0767). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CVE-2005-1263)." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.25.14mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.28.0.rc1.6mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.25.14mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.28.0.rc1.6mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.4.28.0.rc1.6mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.25.14mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.25.14mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.25.14mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.28.0.rc1.6mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"kernel-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-smp-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"kernel-source-2.4.25-14mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-enterprise-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i586-up-1GB-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-smp-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"kernel-source-2.4-2.4.28-0.rc1.6mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2005-420.NASL
description	Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This is the first regular update. [Updated 9 August 2005] The advisory text has been updated to show that this update also contained fixes for the security issues named CVE-2005-0209 and CVE-2005-0937. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update to Red Hat Enterprise Linux 4. A flaw affecting the auditing code was discovered. On Itanium architectures a local user could use this flaw to cause a denial of service (crash). This issue is rated as having important security impact (CVE-2005-0136). A flaw was discovered in the servicing of a raw device ioctl. A local user who has access to raw devices could use this flaw to write to kernel memory and cause a denial of service or potentially gain privileges. This issue is rated as having moderate security impact (CVE-2005-1264). A flaw in fragment forwarding was discovered that affected the netfilter subsystem for certain network interface cards. A remote attacker could send a set of bad fragments and cause a denial of service (system crash). Acenic and SunGEM network interfaces were the only adapters affected, which are in widespread use. (CVE-2005-0209) A flaw in the futex functions was discovered affecting the Linux 2.6 kernel. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0937) New features introduced by this update include: - Fixed TCP BIC congestion handling. - Diskdump support for more controllers (megaraid, SATA) - Device mapper multipath support - AMD64 dual core support. - Intel ICH7 hardware support. There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following device drivers have been upgraded to new versions: ata_piix -------- 1.03 bonding --------- 2.6.1 e1000 ----------- 5.6.10.1-k2-NAPI e100 ------------ 3.3.6-k2-NAPI ibmveth --------- 1.03 libata ---------- 1.02 to 1.10 lpfc ------------ 0:8.0.16 to 0:8.0.16.6_x2 megaraid_mbox --- 2.20.4.0 to 2.20.4.5 megaraid_mm ----- 2.20.2.0-rh1 to 2.20.2.5 sata_nv --------- 0.03 to 0.6 sata_promise ---- 1.00 to 1.01 sata_sil -------- 0.8 sata_sis -------- 0.5 sata_svw -------- 1.05 sata_sx4 -------- 0.7 sata_via -------- 1.0 sata_vsc -------- 1.0 tg3 ------------- 3.22-rh ipw2100 --------- 1.0.3 ipw2200 --------- 1.0.0 All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
last seen	2020-06-01
modified	2020-06-02
plugin id	21937
published	2006-07-05
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21937
title	CentOS 4 : kernel (CESA-2005:420)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:420 and # CentOS Errata and Security Advisory 2005:420 respectively. # include("compat.inc"); if (description) { script_id(21937); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:02"); script_cve_id("CVE-2005-0136", "CVE-2005-0209", "CVE-2005-0937", "CVE-2005-1264", "CVE-2005-3107"); script_xref(name:"RHSA", value:"2005:420"); script_name(english:"CentOS 4 : kernel (CESA-2005:420)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This is the first regular update. [Updated 9 August 2005] The advisory text has been updated to show that this update also contained fixes for the security issues named CVE-2005-0209 and CVE-2005-0937. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update to Red Hat Enterprise Linux 4. A flaw affecting the auditing code was discovered. On Itanium architectures a local user could use this flaw to cause a denial of service (crash). This issue is rated as having important security impact (CVE-2005-0136). A flaw was discovered in the servicing of a raw device ioctl. A local user who has access to raw devices could use this flaw to write to kernel memory and cause a denial of service or potentially gain privileges. This issue is rated as having moderate security impact (CVE-2005-1264). A flaw in fragment forwarding was discovered that affected the netfilter subsystem for certain network interface cards. A remote attacker could send a set of bad fragments and cause a denial of service (system crash). Acenic and SunGEM network interfaces were the only adapters affected, which are in widespread use. (CVE-2005-0209) A flaw in the futex functions was discovered affecting the Linux 2.6 kernel. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0937) New features introduced by this update include: - Fixed TCP BIC congestion handling. - Diskdump support for more controllers (megaraid, SATA) - Device mapper multipath support - AMD64 dual core support. - Intel ICH7 hardware support. There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following device drivers have been upgraded to new versions: ata_piix -------- 1.03 bonding --------- 2.6.1 e1000 ----------- 5.6.10.1-k2-NAPI e100 ------------ 3.3.6-k2-NAPI ibmveth --------- 1.03 libata ---------- 1.02 to 1.10 lpfc ------------ 0:8.0.16 to 0:8.0.16.6_x2 megaraid_mbox --- 2.20.4.0 to 2.20.4.5 megaraid_mm ----- 2.20.2.0-rh1 to 2.20.2.5 sata_nv --------- 0.03 to 0.6 sata_promise ---- 1.00 to 1.01 sata_sil -------- 0.8 sata_sis -------- 0.5 sata_svw -------- 1.05 sata_sx4 -------- 0.7 sata_via -------- 1.0 sata_vsc -------- 1.0 tg3 ------------- 3.22-rh ipw2100 --------- 1.0.3 ipw2200 --------- 1.0.0 All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum." ); # https://lists.centos.org/pipermail/centos-announce/2005-June/011800.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d0f01fcc" ); # https://lists.centos.org/pipermail/centos-announce/2005-June/011803.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?da27f3ba" ); # https://lists.centos.org/pipermail/centos-announce/2005-June/011808.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6c64534e" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-sourcecode"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/22"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", reference:"kernel-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", reference:"kernel-devel-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", reference:"kernel-doc-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-devel-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-11.EL")) flag++; if (rpm_check(release:"CentOS-4", reference:"kernel-sourcecode-2.6.9-11.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2005-366.NASL
description	Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 9 August 2005] The advisory text has been updated to show that this update fixed the security issue named CVE-2005-0210 but not CVE-2005-0209. The issue CVE-2005-0209 was actually fixed by RHSA-2005:420. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CVE-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CVE-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CVE-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CVE-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CVE-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CVE-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CVE-2005-0529, CVE-2005-0530, CVE-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CVE-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CVE-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CVE-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that
last seen	2020-06-01
modified	2020-06-02
plugin id	18095
published	2005-04-19
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/18095
title	RHEL 4 : kernel (RHSA-2005:366)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-95-1.NASL
description	A remote Denial of Service vulnerability was discovered in the Netfilter IP packet handler. This allowed a remote attacker to crash the machine by sending specially crafted IP packet fragments. (CAN-2005-0209) The Netfilter code also contained a memory leak. Certain locally generated packet fragments are reassembled twice, which caused a double allocation of a data structure. This could be locally exploited to crash the machine due to kernel memory exhaustion. (CAN-2005-0210) Ben Martel and Stephen Blackheath found a remote Denial of Service vulnerability in the PPP driver. This allowed a malicious pppd client to crash the server machine. (CAN-2005-0384) Georgi Guninski discovered a buffer overflow in the ATM driver. The atm_get_addr() function does not validate its arguments sufficiently, which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could eventually lead to arbitrary code execution. (CAN-2005-0531) Georgi Guninski also discovered three other integer comparison problems in the TTY layer, in the /proc interface and the ReiserFS driver. However, the previous Ubuntu security update (kernel version 2.6.8.1-16.11) already contained a patch which checks the arguments to these functions at a higher level and thus prevents these flaws from being exploited. (CAN-2005-0529, CAN-2005-0530, CAN-2005-0532) Georgi Guninski discovered an integer overflow in the sys_epoll_wait() function which allowed local users to overwrite the first few kB of physical memory. However, very few applications actually use this space (dosemu is a notable exception), but potentially this could lead to privilege escalation. (CAN-2005-0736) Eric Anholt discovered a race condition in the Radeon DRI driver. In some cases this allowed a local user with DRI privileges on a Radeon card to execute arbitrary code with root privileges. Finally this update fixes a regression in the NFS server driver which was introduced in the previous security update (kernel version 2.6.8.1-16.11). We apologize for the inconvenience. (https://bugzilla.ubuntulinux.org/show_bug.cgi?id=6749) Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	20721
published	2006-01-15
reporter	Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20721
title	Ubuntu 4.10 : linux-source-2.6.8.1 vulnerabilities (USN-95-1)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2005-366.NASL
description	Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 9 August 2005] The advisory text has been updated to show that this update fixed the security issue named CVE-2005-0210 but not CVE-2005-0209. The issue CVE-2005-0209 was actually fixed by RHSA-2005:420. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CVE-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CVE-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CVE-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CVE-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CVE-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CVE-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CVE-2005-0529, CVE-2005-0530, CVE-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CVE-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CVE-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CVE-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that
last seen	2020-06-01
modified	2020-06-02
plugin id	21928
published	2006-07-05
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21928
title	CentOS 3 / 4 : kernel (CESA-2005:366)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2005-420.NASL
description	Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This is the first regular update. [Updated 9 August 2005] The advisory text has been updated to show that this update also contained fixes for the security issues named CVE-2005-0209 and CVE-2005-0937. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update to Red Hat Enterprise Linux 4. A flaw affecting the auditing code was discovered. On Itanium architectures a local user could use this flaw to cause a denial of service (crash). This issue is rated as having important security impact (CVE-2005-0136). A flaw was discovered in the servicing of a raw device ioctl. A local user who has access to raw devices could use this flaw to write to kernel memory and cause a denial of service or potentially gain privileges. This issue is rated as having moderate security impact (CVE-2005-1264). A flaw in fragment forwarding was discovered that affected the netfilter subsystem for certain network interface cards. A remote attacker could send a set of bad fragments and cause a denial of service (system crash). Acenic and SunGEM network interfaces were the only adapters affected, which are in widespread use. (CVE-2005-0209) A flaw in the futex functions was discovered affecting the Linux 2.6 kernel. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0937) New features introduced by this update include: - Fixed TCP BIC congestion handling. - Diskdump support for more controllers (megaraid, SATA) - Device mapper multipath support - AMD64 dual core support. - Intel ICH7 hardware support. There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following device drivers have been upgraded to new versions: ata_piix -------- 1.03 bonding --------- 2.6.1 e1000 ----------- 5.6.10.1-k2-NAPI e100 ------------ 3.3.6-k2-NAPI ibmveth --------- 1.03 libata ---------- 1.02 to 1.10 lpfc ------------ 0:8.0.16 to 0:8.0.16.6_x2 megaraid_mbox --- 2.20.4.0 to 2.20.4.5 megaraid_mm ----- 2.20.2.0-rh1 to 2.20.2.5 sata_nv --------- 0.03 to 0.6 sata_promise ---- 1.00 to 1.01 sata_sil -------- 0.8 sata_sis -------- 0.5 sata_svw -------- 1.05 sata_sx4 -------- 0.7 sata_via -------- 1.0 sata_vsc -------- 1.0 tg3 ------------- 3.22-rh ipw2100 --------- 1.0.3 ipw2200 --------- 1.0.0 All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
last seen	2020-06-01
modified	2020-06-02
plugin id	18444
published	2005-06-10
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/18444
title	RHEL 4 : kernel (RHSA-2005:420)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-110.NASL
description	Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following CVE names have been fixed in the LE2005 kernel : Colin Percival discovered a vulnerability in Intel
last seen	2020-06-01
modified	2020-06-02
plugin id	18598
published	2005-07-01
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18598
title	Mandrake Linux Security Advisory : kernel (MDKSA-2005:110)

Oval

accepted

2013-04-29T04:15:59.089-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.

family

unix

oval:org.mitre.oval:def:11855

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

The directory-services functionality in the scheduler in CUPS 1.1.17 and 1.1.22 allows remote attackers to cause a denial of service (cupsd daemon outage or crash) via manipulations of the timing of CUPS browse packets, related to a "pointer use-after-delete flaw."

version

Redhat

advisories

rhsa
id RHSA-2005:366
rhsa
id RHSA-2005:420

rpms

kernel-0:2.6.9-11.EL
kernel-debuginfo-0:2.6.9-11.EL
kernel-devel-0:2.6.9-11.EL
kernel-doc-0:2.6.9-11.EL
kernel-hugemem-0:2.6.9-11.EL
kernel-hugemem-devel-0:2.6.9-11.EL
kernel-smp-0:2.6.9-11.EL
kernel-smp-devel-0:2.6.9-11.EL

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Oval

Redhat

References