Vulnerabilities > CVE-2005-3055 - Improper Input Validation vulnerability in multiple products

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
linux
debian
CWE-20
nessus

Summary

Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-235.NASL
    descriptionMultiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update : A stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490). The raw_sendmsg function in versions prior to 2.6.13.1 allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492). The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873). Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055). drm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179). The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180). Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181). The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257). A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen2020-06-01
    modified2020-06-02
    plugin id20466
    published2006-01-15
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20466
    titleMandrake Linux Security Advisory : kernel (MDKSA-2005:235)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:235. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20466);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2005-2490", "CVE-2005-2492", "CVE-2005-2873", "CVE-2005-3044", "CVE-2005-3055", "CVE-2005-3179", "CVE-2005-3180", "CVE-2005-3181", "CVE-2005-3257", "CVE-2005-3274");
      script_xref(name:"MDKSA", value:"2005:235");
    
      script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2005:235)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities in the Linux 2.6 kernel have been discovered
    and corrected in this update :
    
    A stack-based buffer overflow in the sendmsg function call in versions
    prior to 2.6.13.1 allow local users to execute arbitrary code by
    calling sendmsg and modifying the message contents in another thread
    (CVE-2005-2490).
    
    The raw_sendmsg function in versions prior to 2.6.13.1 allow local
    users to cause a DoS (change hardware state) or read from arbitrary
    memory via crafted input (CVE-2005-2492).
    
    The ipt_recent module in versions prior to 2.6.12 does not properly
    perform certain tests when the jiffies value is greater than LONG_MAX,
    which can cause ipt_recent netfilter rules to block too early
    (CVE-2005-2873).
    
    Multiple vulnerabilities in versions prior to 2.6.13.2 allow local
    users to cause a DoS (oops from null dereference) via fput in a 32bit
    ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl
    function on 64-bit systems (CVE-2005-3044).
    
    Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops)
    via a userspace process that issues a USB Request Block (URB) to a USB
    device and terminates before the URB is finished, which leads to a
    stale pointer reference (CVE-2005-3055).
    
    drm.c in version 2.6.13 and earlier creates a debug file in sysfs with
    world-readable and world-writable permissions, allowing local users to
    enable DRM debugging and obtain sensitive information (CVE-2005-3179).
    
    The Orinoco driver in 2.6.13 and earlier does not properly clear
    memory from a previously used packet whose length is increased,
    allowing remote attackers to obtain sensitive information
    (CVE-2005-3180).
    
    Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use
    an incorrect function to free names_cache memory, preventing the
    memory from being tracked by AUDITSYSCALL code and leading to a memory
    leak (CVE-2005-3181).
    
    The VT implementation in version 2.6.12 allows local users to use
    certain IOCTLs on terminals of other users and gain privileges
    (CVE-2005-3257).
    
    A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when
    running on SMP systems, allows local users to cause a DoS (null
    dereference) by causing a connection timer to expire while the
    connection table is being flushed before the appropriate lock is
    acquired (CVE-2005-3274).
    
    The provided packages are patched to fix these vulnerabilities. All
    users are encouraged to upgrade to these updated kernels.
    
    To update your kernel, please follow the directions located at :
    
    http://www.mandriva.com/en/security/kernelupdate"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_cwe_id(399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.12.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.12.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.12.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.12.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xbox-2.6.12.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xen0-2.6.12.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xenU-2.6.12.14mdk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/12/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-2.6.12.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i586-up-1GB-2.6.12.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.6.12.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-smp-2.6.12.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-source-2.6-2.6.12-14mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-source-stripped-2.6-2.6.12-14mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xbox-2.6.12.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xen0-2.6.12.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xenU-2.6.12.14mdk-1-1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-220.NASL
    descriptionMultiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update: The kernel on x86_64 platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug which allows a local user to cause a DoS (CVE-2005-1764). The KEYCTL_JOIN_SESSION_KEYRING operation in versions prior to 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a DoS (semaphore hang) via a new session keyring with an empty name string, a long name string, the key quota reached, or ENOMEM (CVE-2005-2098). Kernels prior to 2.6.12.5 do not properly destroy a keyring that is not instantiated properly, allowing a local user or remote attacker to cause a DoS (oops) via a keyring with a payload that is not empty (CVE-2005-2099). An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456). The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457). inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with 'improper tables' (CVE-2005-2458). The huft_build function in inflate.c in the zlib routines in versions prior to 2.6.12.5 returns the wrong value, allowing remote attackers to cause a DoS (crash) via a certain compressed file that leads to a NULL pointer dereference (CVE-2005-2459). A stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490). The raw_sendmsg function in versions prior to 2.6.13.1 allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492). A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800). The ipt_recent module in versions prior to 2.6.12 when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force (CVE-2005-2872). The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873). Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from NULL dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). The sys_set_mempolicy function in mempolicy.c allows local users to cause a DoS via a negative first argument (CVE-2005-3053). Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055). drm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179). The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180). Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181). The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257). Exec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posix- timers than specified by the quota for a single user (CVE-2005-3271). The rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273). A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (NULL dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274). The NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275). The sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate
    last seen2017-10-29
    modified2014-08-22
    plugin id20451
    published2006-01-15
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=20451
    titleMDKSA-2005:220 : kernel
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0579.NASL
    descriptionUpdated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (32 bit architectures) This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) * a flaw in ROSE due to missing verification of the ndigis argument of new routes (CVE-2005-3273, moderate) * an info leak on AMD-based x86 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) * a minor info leak in socket name handling in the network code (CVE-2006-1342, low) * a minor info leak in socket option handling in the network code (CVE-2006-1343, low) * a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via
    last seen2020-06-01
    modified2020-06-02
    plugin id22054
    published2006-07-17
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22054
    titleRHEL 2.1 : kernel (RHSA-2006:0579)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0575.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the fourth regular update to Red Hat Enterprise Linux 4. New features introduced in this update include : * Device Mapper mirroring support * IDE diskdump support * x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements * Itanium: perfmon support for Montecito * much improved support for IBM x460 * AMD PowerNow! patches to support Opteron Rev G * Vmalloc support > 64MB The following device drivers have been upgraded to new versions : ipmi: 33.11 to 33.13 ib_mthca: 0.06 to 0.08 bnx2: 1.4.30 to 1.4.38 bonding: 2.6.1 to 2.6.3 e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI e1000: 6.1.16-k3-NAPI to 7.0.33-k2-NAPI sky2: 0.13 to 1.1 tg3: 3.43-rh to 3.52-rh ipw2100: 1.1.0 to git-1.1.4 ipw2200: 1.0.0 to git-1.0.10 3w-9xxx: 2.26.02.001 to 2.26.04.010 ips: 7.10.18 to 7.12.02 iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3 lpfc: 0:8.0.16.18 to 0:8.0.16.27 megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1 qla2xxx: 8.01.02-d4 to 8.01.04-d7 qla6312: 8.01.02-d4 to 8.01.04-d7 sata_promise: 1.03 to 1.04 sata_vsc: 1.1 to 1.2 ibmvscsic: 1.5.5 to 1.5.6 ipr: 2.0.11.1 to 2.0.11.2 Added drivers : dcdbas: 5.6.0-2 sata_mv: 0.6 sata_qstor: 0.05 sata_uli: 0.5 skge: 1.1 stex: 2.9.0.13 pdc_adma: 0.03 This update includes fixes for the security issues : * a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) * a flaw in the ACL handling of nfsd that allowed a remote user to bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623, moderate) * a flaw in the netfilter handling that allowed a local user with CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low) * a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that allowed a local user to cause a denial of service (crash) or to retrieve random kernel data (CVE-2006-0456, important) * a flaw in the keyctl functions that allowed a local user to cause a denial of service (crash) or to read sensitive kernel memory (CVE-2006-0457, important) * a flaw in unaligned accesses handling on Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important) * a flaw in SELinux ptrace logic that allowed a local user with ptrace permissions to change the tracer SID to a SID of another process (CVE-2006-1052, moderate) * an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) * a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low) * a minor info leak in socket option handling in the network code (CVE-2006-1343, low) * a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to cause a denial of service (crash) (CVE-2006-1857, moderate) * a flaw in the SCTP implementation that allowed a remote user to cause a denial of service (deadlock) (CVE-2006-2275, moderate) * a flaw in the socket buffer handling that allowed a remote user to cause a denial of service (panic) (CVE-2006-2446, important) * a flaw in the signal handling access checking on PowerPC that allowed a local user to cause a denial of service (crash) or read arbitrary kernel memory on 64-bit systems (CVE-2006-2448, important) * a flaw in the netfilter SCTP module when receiving a chunkless packet that allowed a remote user to cause a denial of service (crash) (CVE-2006-2934, important) There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4.
    last seen2020-06-01
    modified2020-06-02
    plugin id22221
    published2006-08-14
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22221
    titleRHEL 4 : kernel (RHSA-2006:0575)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1017.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2005-0449 An error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack. - CVE-2005-2457 Tim Yamin discovered that insufficient input validation in the zisofs driver for compressed ISO file systems allows a denial of service attack through maliciously crafted ISO images. - CVE-2005-2490 A buffer overflow in the sendmsg() function allows local users to execute arbitrary code. - CVE-2005-2555 Herbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack. - CVE-2005-2709 Al Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode. - CVE-2005-2800 Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices leak memory, which allows a denial of service attack. - CVE-2005-2973 Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack. - CVE-2005-3044 Vasiliy Averin discovered that the reference counters from sockfd_put() and fput() can be forced into overlapping, which allows a denial of service attack through a NULL pointer dereference. - CVE-2005-3053 Eric Dumazet discovered that the set_mempolicy() system call accepts a negative value for its first argument, which triggers a BUG() assert. This allows a denial of service attack. - CVE-2005-3055 Harald Welte discovered that if a process issues a USB Request Block (URB) to a device and terminates before the URB completes, a stale pointer would be dereferenced. This could be used to trigger a denial of service attack. - CVE-2005-3180 Pavel Roskin discovered that the driver for Orinoco wireless cards clears its buffers insufficiently. This could leak sensitive information into user space. - CVE-2005-3181 Robert Derr discovered that the audit subsystem uses an incorrect function to free memory, which allows a denial of service attack. - CVE-2005-3257 Rudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation. - CVE-2005-3356 Doug Chapman discovered that the mq_open syscall can be tricked into decrementing an internal counter twice, which allows a denial of service attack through a kernel panic. - CVE-2005-3358 Doug Chapman discovered that passing a zero bitmask to the set_mempolicy() system call leads to a kernel panic, which allows a denial of service attack. - CVE-2005-3783 The ptrace code using CLONE_THREAD didn
    last seen2020-06-01
    modified2020-06-02
    plugin id22559
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22559
    titleDebian DSA-1017-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0437.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions : adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update : - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id22135
    published2006-08-04
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22135
    titleCentOS 3 : kernel (CESA-2006:0437)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2005_067.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2005:067 (kernel). This kernel update for SUSE Linux 10.0 contains fixes for XEN, various security fixes and bug fixes. This update includes a more recent snapshot of the upcoming XEN 3.0. Many bugs have been fixed. Stability for x86_64 has been improved. Stability has been improved for SMP, and now both i586 and x86_64 kernels are built with SMP support. It also contains several security fixes : - CVE-2005-3783: A check in ptrace(2) handling that finds out if a process is attaching to itself was incorrect and could be used by a local attacker to crash the machine. - CVE-2005-3784: A check in reaping of terminating child processes did not consider ptrace(2) attached processes and would leave a ptrace reference dangling. This could lead to a local user being able to crash the machine. - CVE-2005-3271: A task leak problem when releasing POSIX timers was fixed. This could lead to local users causing a local denial of service by exhausting system memory. - CVE-2005-3805: A locking problem in POSIX timer handling could be used by a local attacker on a SMP system to deadlock the machine. - CVE-2005-3181: A problem in the Linux auditing code could lead to a memory leak which finally could exhaust system memory of a machine. - CVE-2005-2973: An infinite loop in the IPv6 UDP loopback handling can be easily triggered by a local user and lead to a denial of service. - CVE-2005-3806: A bug in IPv6 flow label handling code could be used by a local attacker to free non-allocated memory and in turn corrupt kernel memory and likely crash the machine. - CVE-2005-3807: A memory kernel leak in VFS lease handling can exhaust the machine memory and so cause a local denial of service. This is seen in regular Samba use and could also be triggered by local attackers. - CVE-2005-3055: Unplugging an user space controlled USB device with an URB pending in user space could crash the kernel. This can be easily triggered by local attacker. - CVE-2005-3180: Fixed incorrect padding in Orinoco wireless driver, which could expose kernel data to the air. - CVE-2005-3044: Missing sockfd_put() calls in routing_ioctl() leaked file handles which in turn could exhaust system memory. - CVE-2005-3527: A race condition in do_coredump in signal.c allows local users to cause a denial of service (machine hang) by triggering a core dump in one thread while another thread has a pending SIGSTOP.
    last seen2019-10-28
    modified2005-12-08
    plugin id20282
    published2005-12-08
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20282
    titleSUSE-SA:2005:067: kernel
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0575.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the fourth regular update to Red Hat Enterprise Linux 4. New features introduced in this update include : * Device Mapper mirroring support * IDE diskdump support * x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements * Itanium: perfmon support for Montecito * much improved support for IBM x460 * AMD PowerNow! patches to support Opteron Rev G * Vmalloc support > 64MB The following device drivers have been upgraded to new versions : ipmi: 33.11 to 33.13 ib_mthca: 0.06 to 0.08 bnx2: 1.4.30 to 1.4.38 bonding: 2.6.1 to 2.6.3 e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI e1000: 6.1.16-k3-NAPI to 7.0.33-k2-NAPI sky2: 0.13 to 1.1 tg3: 3.43-rh to 3.52-rh ipw2100: 1.1.0 to git-1.1.4 ipw2200: 1.0.0 to git-1.0.10 3w-9xxx: 2.26.02.001 to 2.26.04.010 ips: 7.10.18 to 7.12.02 iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3 lpfc: 0:8.0.16.18 to 0:8.0.16.27 megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1 qla2xxx: 8.01.02-d4 to 8.01.04-d7 qla6312: 8.01.02-d4 to 8.01.04-d7 sata_promise: 1.03 to 1.04 sata_vsc: 1.1 to 1.2 ibmvscsic: 1.5.5 to 1.5.6 ipr: 2.0.11.1 to 2.0.11.2 Added drivers : dcdbas: 5.6.0-2 sata_mv: 0.6 sata_qstor: 0.05 sata_uli: 0.5 skge: 1.1 stex: 2.9.0.13 pdc_adma: 0.03 This update includes fixes for the security issues : * a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) * a flaw in the ACL handling of nfsd that allowed a remote user to bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623, moderate) * a flaw in the netfilter handling that allowed a local user with CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low) * a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that allowed a local user to cause a denial of service (crash) or to retrieve random kernel data (CVE-2006-0456, important) * a flaw in the keyctl functions that allowed a local user to cause a denial of service (crash) or to read sensitive kernel memory (CVE-2006-0457, important) * a flaw in unaligned accesses handling on Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important) * a flaw in SELinux ptrace logic that allowed a local user with ptrace permissions to change the tracer SID to a SID of another process (CVE-2006-1052, moderate) * an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) * a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low) * a minor info leak in socket option handling in the network code (CVE-2006-1343, low) * a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to cause a denial of service (crash) (CVE-2006-1857, moderate) * a flaw in the SCTP implementation that allowed a remote user to cause a denial of service (deadlock) (CVE-2006-2275, moderate) * a flaw in the socket buffer handling that allowed a remote user to cause a denial of service (panic) (CVE-2006-2446, important) * a flaw in the signal handling access checking on PowerPC that allowed a local user to cause a denial of service (crash) or read arbitrary kernel memory on 64-bit systems (CVE-2006-2448, important) * a flaw in the netfilter SCTP module when receiving a chunkless packet that allowed a remote user to cause a denial of service (crash) (CVE-2006-2934, important) There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4.
    last seen2020-06-01
    modified2020-06-02
    plugin id22276
    published2006-08-30
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22276
    titleCentOS 4 : kernel (CESA-2006:0575)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-219.NASL
    descriptionMultiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update : An integer overflow in vc_resize (CVE-2004-1333). A race condition in the sysfs_read_file and sysfs_write_file functions in 2.6.10 and earlier allows local users to read kernel memory and cause a DoS (crash) via large offsets in sysfs files (CVE-2004-2302). An integer signedness error in scsi_ioctl.c (CVE-2005-0180). Netfilter allows a local user to cause a DoS (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice (CVE-2005-0210). A DoS in pkt_ioctl in pktcdvc.c (CVE-2005-1589). An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456). The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457). inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with
    last seen2020-06-01
    modified2020-06-02
    plugin id20450
    published2006-01-15
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20450
    titleMandrake Linux Security Advisory : kernel (MDKSA-2005:219)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0437.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions : adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update : - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id22086
    published2006-07-21
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22086
    titleRHEL 3 : kernel (RHSA-2006:0437)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-219-1.NASL
    descriptionAl Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709) Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973) Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an
    last seen2020-06-01
    modified2020-06-02
    plugin id65105
    published2013-03-09
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2013-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/65105
    titleUbuntu 4.10 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-219-1)

Oval

accepted2013-04-29T04:19:38.551-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionLinux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.
familyunix
idoval:org.mitre.oval:def:9472
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleLinux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.
version26

Redhat

advisories
  • rhsa
    idRHSA-2006:0437
  • rhsa
    idRHSA-2006:0575
  • rhsa
    idRHSA-2006:0579
  • rhsa
    idRHSA-2006:0580
rpms
  • kernel-0:2.4.21-47.EL
  • kernel-BOOT-0:2.4.21-47.EL
  • kernel-debuginfo-0:2.4.21-47.EL
  • kernel-doc-0:2.4.21-47.EL
  • kernel-hugemem-0:2.4.21-47.EL
  • kernel-hugemem-unsupported-0:2.4.21-47.EL
  • kernel-smp-0:2.4.21-47.EL
  • kernel-smp-unsupported-0:2.4.21-47.EL
  • kernel-source-0:2.4.21-47.EL
  • kernel-unsupported-0:2.4.21-47.EL
  • kernel-0:2.6.9-42.EL
  • kernel-debuginfo-0:2.6.9-42.EL
  • kernel-devel-0:2.6.9-42.EL
  • kernel-doc-0:2.6.9-42.EL
  • kernel-hugemem-0:2.6.9-42.EL
  • kernel-hugemem-devel-0:2.6.9-42.EL
  • kernel-largesmp-0:2.6.9-42.EL
  • kernel-largesmp-devel-0:2.6.9-42.EL
  • kernel-smp-0:2.6.9-42.EL
  • kernel-smp-devel-0:2.6.9-42.EL