Vulnerabilities > CVE-2005-0403 - Unspecified vulnerability in Redhat Enterprise Linux and Enterprise Linux Desktop

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
redhat
nessus

Summary

init_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 does not properly clear controlling tty's in multi-threaded applications, which allows local users to cause a denial of service (crash) and possibly gain tty access via unknown attack vectors that trigger an access of a pointer to a freed structure.

Vulnerable Configurations

Part Description Count
OS
Redhat
4

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-293.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. The following security issues were fixed : The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CVE-2004-0075) The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CVE-2004-0177) The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CVE-2004-0814) A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CVE-2004-1058) A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CVE-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update. Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0135) A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0137) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CVE-2005-0204) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CVE-2005-0403) A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CVE-2005-0449) Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()
    last seen2020-06-01
    modified2020-06-02
    plugin id18128
    published2005-04-25
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18128
    titleRHEL 3 : kernel (RHSA-2005:293)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:293. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18128);
      script_version ("1.33");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2004-0075", "CVE-2004-0177", "CVE-2004-0814", "CVE-2004-1058", "CVE-2004-1073", "CVE-2005-0135", "CVE-2005-0137", "CVE-2005-0204", "CVE-2005-0384", "CVE-2005-0403", "CVE-2005-0449", "CVE-2005-0736", "CVE-2005-0749", "CVE-2005-0750");
      script_xref(name:"RHSA", value:"2005:293");
    
      script_name(english:"RHEL 3 : kernel (RHSA-2005:293)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix several security issues in the Red
    Hat Enterprise Linux 3 kernel are now available.
    
    This security advisory has been rated as having important security
    impact by the Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    The following security issues were fixed :
    
    The Vicam USB driver did not use the copy_from_user function to access
    userspace, crossing security boundaries. (CVE-2004-0075)
    
    The ext3 and jfs code did not properly initialize journal descriptor
    blocks. A privileged local user could read portions of kernel memory.
    (CVE-2004-0177)
    
    The terminal layer did not properly lock line discipline changes or
    pending IO. An unprivileged local user could read portions of kernel
    memory, or cause a denial of service (system crash). (CVE-2004-0814)
    
    A race condition was discovered. Local users could use this flaw to
    read the environment variables of another process that is still
    spawning via /proc/.../cmdline. (CVE-2004-1058)
    
    A flaw in the execve() syscall handling was discovered, allowing a
    local user to read setuid ELF binaries that should otherwise be
    protected by standard permissions. (CVE-2004-1073). Red Hat originally
    reported this as being fixed by RHSA-2004:549, but the associated fix
    was missing from that update.
    
    Keith Owens reported a flaw in the Itanium unw_unwind_to_user()
    function. A local user could use this flaw to cause a denial of
    service (system crash) on the Itanium architecture. (CVE-2005-0135)
    
    A missing Itanium syscall table entry could allow an unprivileged
    local user to cause a denial of service (system crash) on the Itanium
    architecture. (CVE-2005-0137)
    
    A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T
    architectures was discovered. A local user could use this flaw to
    access privileged IO ports. (CVE-2005-0204)
    
    A flaw was discovered in the Linux PPP driver. On systems allowing
    remote users to connect to a server using ppp, a remote client could
    cause a denial of service (system crash). (CVE-2005-0384)
    
    A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3
    was discovered that left a pointer to a freed tty structure. A local
    user could potentially use this flaw to cause a denial of service
    (system crash) or possibly gain read or write access to ttys that
    should normally be prevented. (CVE-2005-0403)
    
    A flaw in fragment queuing was discovered affecting the netfilter
    subsystem. On systems configured to filter or process network packets
    (for example those configured to do firewalling), a remote attacker
    could send a carefully crafted set of fragmented packets to a machine
    and cause a denial of service (system crash). In order to sucessfully
    exploit this flaw, the attacker would need to know (or guess) some
    aspects of the firewall ruleset in place on the target system to be
    able to craft the right fragmented packets. (CVE-2005-0449)
    
    Missing validation of an epoll_wait() system call parameter could
    allow a local user to cause a denial of service (system crash) on the
    IBM S/390 and zSeries architectures. (CVE-2005-0736)
    
    A flaw when freeing a pointer in load_elf_library was discovered. A
    local user could potentially use this flaw to cause a denial of
    service (system crash). (CVE-2005-0749)
    
    A flaw was discovered in the bluetooth driver system. On system where
    the bluetooth modules are loaded, a local user could use this flaw to
    gain elevated (root) privileges. (CVE-2005-0750)
    
    In addition to the security issues listed above, there was an
    important fix made to the handling of the msync() system call for a
    particular case in which the call could return without queuing
    modified mmap()'ed data for file system update. (BZ 147969)
    
    Note: The kernel-unsupported package contains various drivers and
    modules that are unsupported and therefore might contain security
    problems that have not been addressed.
    
    Red Hat Enterprise Linux 3 users are advised to upgrade their kernels
    to the packages associated with their machine
    architectures/configurations
    
    Please note that the fix for CVE-2005-0449 required changing the
    external symbol linkages (kernel module ABI) for the ip_defrag() and
    ip_ct_gather_frags() functions. Any third-party module using either of
    these would also need to be fixed."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0177"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0814"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1058"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0135"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0137"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0204"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0403"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0449"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0736"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0749"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0750"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:293"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(20);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-unsupported");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-unsupported");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-unsupported");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/03/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/04/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2004-0075", "CVE-2004-0177", "CVE-2004-0814", "CVE-2004-1058", "CVE-2004-1073", "CVE-2005-0135", "CVE-2005-0137", "CVE-2005-0204", "CVE-2005-0384", "CVE-2005-0403", "CVE-2005-0449", "CVE-2005-0736", "CVE-2005-0749", "CVE-2005-0750");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2005:293");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:293";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"kernel-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i386", reference:"kernel-BOOT-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", reference:"kernel-doc-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-unsupported-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-unsupported-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-unsupported-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", reference:"kernel-source-2.4.21-27.0.4.EL")) flag++;
      if (rpm_check(release:"RHEL3", reference:"kernel-unsupported-2.4.21-27.0.4.EL")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-293.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. The following security issues were fixed : The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CVE-2004-0075) The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CVE-2004-0177) The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CVE-2004-0814) A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CVE-2004-1058) A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CVE-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update. Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0135) A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0137) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CVE-2005-0204) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CVE-2005-0403) A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CVE-2005-0449) Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()
    last seen2020-06-01
    modified2020-06-02
    plugin id21923
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21923
    titleCentOS 3 : kernel (CESA-2005:293)

Oval

accepted2013-04-29T04:19:23.649-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptioninit_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 does not properly clear controlling tty's in multi-threaded applications, which allows local users to cause a denial of service (crash) and possibly gain tty access via unknown attack vectors that trigger an access of a pointer to a freed structure.
familyunix
idoval:org.mitre.oval:def:9435
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleinit_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 does not properly clear controlling tty's in multi-threaded applications, which allows local users to cause a denial of service (crash) and possibly gain tty access via unknown attack vectors that trigger an access of a pointer to a freed structure.
version26

Redhat

advisories
rhsa
idRHSA-2005:293
rpms
  • kernel-0:2.4.21-27.0.4.EL
  • kernel-BOOT-0:2.4.21-27.0.4.EL
  • kernel-debuginfo-0:2.4.21-27.0.4.EL
  • kernel-doc-0:2.4.21-27.0.4.EL
  • kernel-hugemem-0:2.4.21-27.0.4.EL
  • kernel-hugemem-unsupported-0:2.4.21-27.0.4.EL
  • kernel-smp-0:2.4.21-27.0.4.EL
  • kernel-smp-unsupported-0:2.4.21-27.0.4.EL
  • kernel-source-0:2.4.21-27.0.4.EL
  • kernel-unsupported-0:2.4.21-27.0.4.EL