Vulnerabilities > CVE-2005-2800 - Resource Management Errors vulnerability in Linux Kernel

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

linux

CWE-399

nessus

exploit available

NVD

Published: 2005-09-06

Updated: 2024-11-21

Summary

Memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error.

Vulnerable Configurations

Part	Description	Count
OS	Linux Linux Linux Kernel 2.6.11 Linux Linux Kernel 2.6.5 Linux Linux Kernel 2.6.1 Linux Linux Kernel 2.6.13 Linux Linux Kernel 2.6.10 Linux Linux Kernel 2.6.3 Linux Linux Kernel 2.6.4 Linux Linux Kernel 2.6.2 Linux Linux Kernel 2.6.8 Linux Linux Kernel 2.6.0 Linux Linux Kernel 2.6.7 Linux Linux Kernel 2.6.9 Linux Linux Kernel 2.6.6 Linux Linux Kernel 2.6.12	14

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Exploit-Db

description	Linux Kernel 2.6.x SCSI ProcFS Denial Of Service Vulnerability. CVE-2005-2800. Dos exploit for linux platform
id	EDB-ID:26248
last seen	2016-02-03
modified	2005-09-09
published	2005-09-09
reporter	anonymous
source	https://www.exploit-db.com/download/26248/
title	Linux Kernel 2.6.x - SCSI ProcFS Denial of Service Vulnerability

Nessus

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2006-0101.NASL
description	Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
last seen	2020-06-01
modified	2020-06-02
plugin id	21977
published	2006-07-05
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21977
title	CentOS 4 : kernel (CESA-2006:0101)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0101 and # CentOS Errata and Security Advisory 2006:0101 respectively. # include("compat.inc"); if (description) { script_id(21977); script_version("1.21"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2002-2185", "CVE-2004-1190", "CVE-2005-2458", "CVE-2005-2709", "CVE-2005-2800", "CVE-2005-3044", "CVE-2005-3106", "CVE-2005-3109", "CVE-2005-3276", "CVE-2005-3356", "CVE-2005-3358", "CVE-2005-3784", "CVE-2005-3806", "CVE-2005-3848", "CVE-2005-3857", "CVE-2005-3858", "CVE-2005-4605"); script_xref(name:"RHSA", value:"2006:0101"); script_name(english:"CentOS 4 : kernel (CESA-2006:0101)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum." ); # https://lists.centos.org/pipermail/centos-announce/2006-January/012580.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4839b252" ); # https://lists.centos.org/pipermail/centos-announce/2006-January/012581.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d8112949" ); # https://lists.centos.org/pipermail/centos-announce/2006-January/012582.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ec839998" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/12/31"); script_set_attribute(attribute:"patch_publication_date", value:"2006/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", reference:"kernel-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", reference:"kernel-devel-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-doc-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-doc-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-devel-2.6.9-22.0.2.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-22.0.2.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc"); }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-220.NASL
description	Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update: The kernel on x86_64 platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug which allows a local user to cause a DoS (CVE-2005-1764). The KEYCTL_JOIN_SESSION_KEYRING operation in versions prior to 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a DoS (semaphore hang) via a new session keyring with an empty name string, a long name string, the key quota reached, or ENOMEM (CVE-2005-2098). Kernels prior to 2.6.12.5 do not properly destroy a keyring that is not instantiated properly, allowing a local user or remote attacker to cause a DoS (oops) via a keyring with a payload that is not empty (CVE-2005-2099). An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456). The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457). inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with 'improper tables' (CVE-2005-2458). The huft_build function in inflate.c in the zlib routines in versions prior to 2.6.12.5 returns the wrong value, allowing remote attackers to cause a DoS (crash) via a certain compressed file that leads to a NULL pointer dereference (CVE-2005-2459). A stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490). The raw_sendmsg function in versions prior to 2.6.13.1 allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492). A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800). The ipt_recent module in versions prior to 2.6.12 when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force (CVE-2005-2872). The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873). Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from NULL dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). The sys_set_mempolicy function in mempolicy.c allows local users to cause a DoS via a negative first argument (CVE-2005-3053). Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055). drm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179). The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180). Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181). The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257). Exec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posix- timers than specified by the quota for a single user (CVE-2005-3271). The rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273). A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (NULL dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274). The NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275). The sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate
last seen	2017-10-29
modified	2014-08-22
plugin id	20451
published	2006-01-15
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=20451
title	MDKSA-2005:220 : kernel

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1017.NASL
description	Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2005-0449 An error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack. - CVE-2005-2457 Tim Yamin discovered that insufficient input validation in the zisofs driver for compressed ISO file systems allows a denial of service attack through maliciously crafted ISO images. - CVE-2005-2490 A buffer overflow in the sendmsg() function allows local users to execute arbitrary code. - CVE-2005-2555 Herbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack. - CVE-2005-2709 Al Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode. - CVE-2005-2800 Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices leak memory, which allows a denial of service attack. - CVE-2005-2973 Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack. - CVE-2005-3044 Vasiliy Averin discovered that the reference counters from sockfd_put() and fput() can be forced into overlapping, which allows a denial of service attack through a NULL pointer dereference. - CVE-2005-3053 Eric Dumazet discovered that the set_mempolicy() system call accepts a negative value for its first argument, which triggers a BUG() assert. This allows a denial of service attack. - CVE-2005-3055 Harald Welte discovered that if a process issues a USB Request Block (URB) to a device and terminates before the URB completes, a stale pointer would be dereferenced. This could be used to trigger a denial of service attack. - CVE-2005-3180 Pavel Roskin discovered that the driver for Orinoco wireless cards clears its buffers insufficiently. This could leak sensitive information into user space. - CVE-2005-3181 Robert Derr discovered that the audit subsystem uses an incorrect function to free memory, which allows a denial of service attack. - CVE-2005-3257 Rudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation. - CVE-2005-3356 Doug Chapman discovered that the mq_open syscall can be tricked into decrementing an internal counter twice, which allows a denial of service attack through a kernel panic. - CVE-2005-3358 Doug Chapman discovered that passing a zero bitmask to the set_mempolicy() system call leads to a kernel panic, which allows a denial of service attack. - CVE-2005-3783 The ptrace code using CLONE_THREAD didn
last seen	2020-06-01
modified	2020-06-02
plugin id	22559
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22559
title	Debian DSA-1017-1 : kernel-source-2.6.8 - several vulnerabilities

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2006-0101.NASL
description	Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
last seen	2020-06-01
modified	2020-06-02
plugin id	20732
published	2006-01-17
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/20732
title	RHEL 4 : kernel (RHSA-2006:0101)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-219.NASL
description	Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update : An integer overflow in vc_resize (CVE-2004-1333). A race condition in the sysfs_read_file and sysfs_write_file functions in 2.6.10 and earlier allows local users to read kernel memory and cause a DoS (crash) via large offsets in sysfs files (CVE-2004-2302). An integer signedness error in scsi_ioctl.c (CVE-2005-0180). Netfilter allows a local user to cause a DoS (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice (CVE-2005-0210). A DoS in pkt_ioctl in pktcdvc.c (CVE-2005-1589). An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456). The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457). inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with
last seen	2020-06-01
modified	2020-06-02
plugin id	20450
published	2006-01-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20450
title	Mandrake Linux Security Advisory : kernel (MDKSA-2005:219)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-178-1.NASL
description	Oleg Nesterov discovered a local Denial of Service vulnerability in the timer handling. When a non group-leader thread called exec() to execute a different program while an itimer was pending, the timer expiry would signal the old group leader task, which did not exist any more. This caused a kernel panic. This vulnerability only affects Ubuntu 5.04. (CAN-2005-1913) Al Viro discovered that the sendmsg() function did not sufficiently validate its input data. By calling sendmsg() and at the same time modifying the passed message in another thread, he could exploit this to execute arbitrary commands with kernel privileges. This only affects the amd64 bit platform. (CAN-2005-2490) Al Viro discovered a vulnerability in the raw_sendmsg() function. By calling this function with specially crafted arguments, a local attacker could either read kernel memory contents (leading to information disclosure) or manipulate the hardware state by reading certain IO ports. This vulnerability only affects Ubuntu 5.04. (CAN-2005-2492) Jan Blunck discovered a Denial of Service vulnerability in the procfs interface of the SCSI driver. By repeatedly reading /proc/scsi/sg/devices, a local attacker could eventually exhaust kernel memory. (CAN-2005-2800) A flaw was discovered in the handling of extended attributes on ext2 and ext3 file systems. Under certain condidions, this could prevent the enforcement of Access Control Lists, which eventually could lead to information disclosure, unauthorized program execution, or unauthorized data modification. This does not affect the standard Unix permissions. (CAN-2005-2801) Chad Walstrom discovered a Denial of Service in the ipt_recent module, which can be used in netfilter (Firewall configuration). A remote attacker could exploit this to crash the kernel by sending certain packets (such as an SSH brute-force attack) to a host which uses the
last seen	2020-06-01
modified	2020-06-02
plugin id	20588
published	2006-01-15
reporter	Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20588
title	Ubuntu 4.10 / 5.04 : linux-source-2.6.10, linux-source-2.6.8.1 vulnerabilities (USN-178-1)

Oval

accepted

2014-06-09T04:01:50.615-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.
name Jerome Athias
organization McAfee, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

Memory leak in the seq_file implemenetation in the SCSI procfs interface (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error.

family

unix

oval:org.mitre.oval:def:9954

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

rhsa

id	RHSA-2006:0101

rpms

kernel-0:2.6.9-22.0.2.EL
kernel-debuginfo-0:2.6.9-22.0.2.EL
kernel-devel-0:2.6.9-22.0.2.EL
kernel-doc-0:2.6.9-22.0.2.EL
kernel-hugemem-0:2.6.9-22.0.2.EL
kernel-hugemem-devel-0:2.6.9-22.0.2.EL
kernel-smp-0:2.6.9-22.0.2.EL
kernel-smp-devel-0:2.6.9-22.0.2.EL

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 14790 CVE(CAN) ID: CVE-2005-2800 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel的SCSI驱动的procfs接口中存在拒绝服务漏洞。本地攻击者可以反复读取/proc/scsi/sg/devices，而next() iterator返回NULL或错误时没有正确的处理这种情况，耗尽kernel内存，导致拒绝服务。 Linux kernel <= 2.6.13 Ubuntu Linux 5.0 4 powerpc Ubuntu Linux 5.0 4 i386 Ubuntu Linux 5.0 4 amd64 Ubuntu Linux 4.1 ppc Ubuntu Linux 4.1 ia64 Ubuntu Linux 4.1 ia32 RedHat ------ RedHat已经为此发布了一个安全公告（RHSA-2006:0101-01）以及相应补丁: RHSA-2006:0101-01：Important: kernel security update 链接：<a href=http://lwn.net/Alerts/168077/?format=printable target=_blank>http://lwn.net/Alerts/168077/?format=printable</a> Ubuntu ------ 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://www.ubuntulinux.org/ target=_blank>http://www.ubuntulinux.org/</a>
id	SSV:4211
last seen	2017-11-19
modified	2006-08-14
published	2006-08-14
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-4211
title	Linux Kernel SCSI ProcFS拒绝服务漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Nessus

Oval

Redhat

Seebug

References