Vulnerabilities > CVE-2005-4605 - Unspecified vulnerability in Linux Kernel 2.6.14/2.6.14.3/2.6.15

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
linux
nessus
exploit available

Summary

The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.

Vulnerable Configurations

Part Description Count
OS
Linux
7

Exploit-Db

descriptionLinux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure Exploit. CVE-2005-4605. Local exploit for linux platform
idEDB-ID:9363
last seen2016-02-01
modified2009-08-05
published2009-08-05
reporterJon Oberheide
sourcehttps://www.exploit-db.com/download/9363/
titleLinux Kernel < 2.6.14.6 - procfs Kernel Memory Disclosure Exploit

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0101.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen2020-06-01
    modified2020-06-02
    plugin id21977
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21977
    titleCentOS 4 : kernel (CESA-2006:0101)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2006:0101 and 
    # CentOS Errata and Security Advisory 2006:0101 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21977);
      script_version("1.21");
      script_cvs_date("Date: 2019/10/25 13:36:03");
    
      script_cve_id("CVE-2002-2185", "CVE-2004-1190", "CVE-2005-2458", "CVE-2005-2709", "CVE-2005-2800", "CVE-2005-3044", "CVE-2005-3106", "CVE-2005-3109", "CVE-2005-3276", "CVE-2005-3356", "CVE-2005-3358", "CVE-2005-3784", "CVE-2005-3806", "CVE-2005-3848", "CVE-2005-3857", "CVE-2005-3858", "CVE-2005-4605");
      script_xref(name:"RHSA", value:"2006:0101");
    
      script_name(english:"CentOS 4 : kernel (CESA-2006:0101)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix several security issues in the Red
    Hat Enterprise Linux 4 kernel are now available.
    
    This security advisory has been rated as having important security
    impact by the Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    These new kernel packages contain fixes for the security issues
    described below :
    
      - a flaw in network IGMP processing that a allowed a
        remote user on the local network to cause a denial of
        service (disabling of multicast reports) if the system
        is running multicast applications (CVE-2002-2185,
        moderate)
    
      - a flaw which allowed a local user to write to firmware
        on read-only opened /dev/cdrom devices (CVE-2004-1190,
        moderate)
    
      - a flaw in gzip/zlib handling internal to the kernel that
        may allow a local user to cause a denial of service
        (crash) (CVE-2005-2458, low)
    
      - a flaw in procfs handling during unloading of modules
        that allowed a local user to cause a denial of service
        or potentially gain privileges (CVE-2005-2709, moderate)
    
      - a flaw in the SCSI procfs interface that allowed a local
        user to cause a denial of service (crash)
        (CVE-2005-2800, moderate)
    
      - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl
        that allowed a local user to cause a denial of service
        (crash) (CVE-2005-3044, important)
    
      - a race condition when threads share memory mapping that
        allowed local users to cause a denial of service
        (deadlock) (CVE-2005-3106, important)
    
      - a flaw when trying to mount a non-hfsplus filesystem
        using hfsplus that allowed local users to cause a denial
        of service (crash) (CVE-2005-3109, moderate)
    
      - a minor info leak with the get_thread_area() syscall
        that allowed a local user to view uninitialized kernel
        stack data (CVE-2005-3276, low)
    
      - a flaw in mq_open system call that allowed a local user
        to cause a denial of service (crash) (CVE-2005-3356,
        important)
    
      - a flaw in set_mempolicy that allowed a local user on
        some 64-bit architectures to cause a denial of service
        (crash) (CVE-2005-3358, important)
    
      - a flaw in the auto-reap of child processes that allowed
        a local user to cause a denial of service (crash)
        (CVE-2005-3784, important)
    
      - a flaw in the IPv6 flowlabel code that allowed a local
        user to cause a denial of service (crash)
        (CVE-2005-3806, important)
    
      - a flaw in network ICMP processing that allowed a local
        user to cause a denial of service (memory exhaustion)
        (CVE-2005-3848, important)
    
      - a flaw in file lease time-out handling that allowed a
        local user to cause a denial of service (log file
        overflow) (CVE-2005-3857, moderate)
    
      - a flaw in network IPv6 xfrm handling that allowed a
        local user to cause a denial of service (memory
        exhaustion) (CVE-2005-3858, important)
    
      - a flaw in procfs handling that allowed a local user to
        read kernel memory (CVE-2005-4605, important)
    
    All Red Hat Enterprise Linux 4 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-January/012580.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4839b252"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-January/012581.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d8112949"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-January/012582.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ec839998"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-4", reference:"kernel-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"kernel-devel-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-doc-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-doc-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-devel-2.6.9-22.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-22.0.2.EL")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-013.NASL
    descriptionThis update fixes several low-priority security problems that were discovered during the development of 2.6.15, and backported. Notably, CVE-2005-4605. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20403
    published2006-01-15
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20403
    titleFedora Core 4 : kernel-2.6.14-1.1656_FC4 (2006-013)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2006-013.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20403);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_xref(name:"FEDORA", value:"2006-013");
    
      script_name(english:"Fedora Core 4 : kernel-2.6.14-1.1656_FC4 (2006-013)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes several low-priority security problems that were
    discovered during the development of 2.6.15, and backported.
    
    Notably, CVE-2005-4605.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2006-January/001719.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?dc6d102a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_attribute(attribute:"risk_factor", value:"High");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:4");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/01/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 4.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC4", reference:"kernel-2.6.14-1.1656_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-debuginfo-2.6.14-1.1656_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-devel-2.6.14-1.1656_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-doc-2.6.14-1.1656_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-smp-2.6.14-1.1656_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-smp-devel-2.6.14-1.1656_FC4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-devel / kernel-doc / kernel-smp / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-244-1.NASL
    descriptionDoug Chapman discovered a flaw in the reference counting in the sys_mq_open() function. By calling this function in a special way, a local attacker could exploit this to cause a kernel crash. (CVE-2005-3356) Karl Janmar discovered that the /proc file system module used signed data types in a wrong way. A local attacker could exploit this to read random kernel memory, which could possibly contain sensitive data like passwords or private keys. (CVE-2005-4605) Yi Yang discovered an off-by-one buffer overflow in the sysctl() system call. By calling sysctl with a specially crafted long string, a local attacker could exploit this to crash the kernel or possibly even execute arbitrary code with full kernel privileges. (CVE-2005-4618) Perceval Anichini found a buffer overflow in the TwinHan DST Frontend/Card DVB driver. A local user could exploit this to crash the kernel or possibly execute arbitrary code with full kernel privileges. This only affects Ubuntu 5.10. (CVE-2005-4639) Stefan Rompf discovered that the dm-crypt module did not clear memory structures before releasing the memory allocation of it. This could lead to the disclosure of encryption keys. (CVE-2006-0095) The SDLA WAN driver did not restrict firmware upgrades to processes that have the CAP_SYS_RAWIO kernel capability, it just required the CAP_NET_ADMIN privilege. This could allow processes with the latter privilege to update the SDLA firmware. Please note that this does not affect a standard Ubuntu installation, and this cannot be exploited by a normal (unprivileged) user. At most, this flaw might be relevant for installations that use a fine-grained capability granting system like RSBAC, cap_over, or grsecurity. This only affects Ubuntu 4.10. (CVE-2006-0096). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20791
    published2006-01-21
    reporterUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20791
    titleUbuntu 4.10 / 5.04 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-244-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1017.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2005-0449 An error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack. - CVE-2005-2457 Tim Yamin discovered that insufficient input validation in the zisofs driver for compressed ISO file systems allows a denial of service attack through maliciously crafted ISO images. - CVE-2005-2490 A buffer overflow in the sendmsg() function allows local users to execute arbitrary code. - CVE-2005-2555 Herbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack. - CVE-2005-2709 Al Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode. - CVE-2005-2800 Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices leak memory, which allows a denial of service attack. - CVE-2005-2973 Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack. - CVE-2005-3044 Vasiliy Averin discovered that the reference counters from sockfd_put() and fput() can be forced into overlapping, which allows a denial of service attack through a NULL pointer dereference. - CVE-2005-3053 Eric Dumazet discovered that the set_mempolicy() system call accepts a negative value for its first argument, which triggers a BUG() assert. This allows a denial of service attack. - CVE-2005-3055 Harald Welte discovered that if a process issues a USB Request Block (URB) to a device and terminates before the URB completes, a stale pointer would be dereferenced. This could be used to trigger a denial of service attack. - CVE-2005-3180 Pavel Roskin discovered that the driver for Orinoco wireless cards clears its buffers insufficiently. This could leak sensitive information into user space. - CVE-2005-3181 Robert Derr discovered that the audit subsystem uses an incorrect function to free memory, which allows a denial of service attack. - CVE-2005-3257 Rudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation. - CVE-2005-3356 Doug Chapman discovered that the mq_open syscall can be tricked into decrementing an internal counter twice, which allows a denial of service attack through a kernel panic. - CVE-2005-3358 Doug Chapman discovered that passing a zero bitmask to the set_mempolicy() system call leads to a kernel panic, which allows a denial of service attack. - CVE-2005-3783 The ptrace code using CLONE_THREAD didn
    last seen2020-06-01
    modified2020-06-02
    plugin id22559
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22559
    titleDebian DSA-1017-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0101.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen2020-06-01
    modified2020-06-02
    plugin id20732
    published2006-01-17
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/20732
    titleRHEL 4 : kernel (RHSA-2006:0101)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_006.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:006 (kernel). The Linux kernel on SUSE Linux 10.0 has been updated to fix following security problems: - CVE-2006-0454: An extra dst release when ip_options_echo failed was fixed. This problem could be triggered by remote attackers and can potentially crash the machine. This is possible even with SuSEfirewall2 enabled. This affects only SUSE Linux 10.0, all other SUSE distributions are not affected. - CVE-2005-3356: A double decrement in mq_open system call could lead to local users crashing the machine. - CVE-2005-3358: A 0 argument passed to the set_mempolicy() system call could lead to a local user crashing the machine. - CVE-2005-4605: Kernel memory could be leaked to user space through a problem with seek() in /proc files . - CVE-2005-3623: Remote users could set ACLs even on read-only exported NFS Filesystems and so circumvent access control. - CVE-2005-3808: A 32 bit integer overflow on 64bit mmap calls could be used by local users to hang the machine. - CVE-2005-4635: Add sanity checks for headers and payload of netlink messages, which could be used by local attackers to crash the machine. Also various non-security bugs were fixed: - Fix up patch for cpufreq drivers that do not initialize current freq. - Handle BIOS cpufreq changes gracefully. - Updates to inotify handling. - Various XEN Updates. - Catches processor declarations with same ACPI id (P4HT) - PowerPC: g5 thermal overtemp bug on fluid cooled systems. - Fixed buffered ACPI events on a lot ASUS and some other machines. - Fix fs/exec.c:788 (de_thread()) BUG_ON (OSDL 5170).
    last seen2019-10-28
    modified2006-02-10
    plugin id20879
    published2006-02-10
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20879
    titleSUSE-SA:2006:006: kernel
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-040.NASL
    descriptionA number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The udp_v6_get_port function in udp.c, when running IPv6, allows local users to cause a Denial of Service (infinite loop and crash) (CVE-2005-2973). The mq_open system call in certain situations can decrement a counter twice as a result of multiple calls to the mntput function when the dentry_open function call fails, allowing a local user to cause a DoS (panic) via unspecified attack vectors (CVE-2005-3356). The procfs code allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value (CVE-2005-4605). A buffer overflow in sysctl allows local users to cause a DoS and possibly execute arbitrary code via a long string, which causes sysctl to write a zero byte outside the buffer (CVE-2005-4618). A buffer overflow in the CA-driver for TwinHan DST Frontend/Card allows local users to cause a DoS (crash) and possibly execute arbitrary code by reading more than eight bytes into an eight byte long array (CVE-2005-4639). dm-crypt does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key (CVE-2006-0095). Remote attackers can cause a DoS via unknown attack vectors related to an
    last seen2020-06-01
    modified2020-06-02
    plugin id20939
    published2006-02-19
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20939
    titleMandrake Linux Security Advisory : kernel (MDKSA-2006:040)

Oval

accepted2013-04-29T04:15:35.438-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionThe procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.
familyunix
idoval:org.mitre.oval:def:11747
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.
version26

Redhat

advisories
bugzilla
id176812
titleCVE-2005-4605 Kernel memory disclosure
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • commentkernel earlier than 0:2.6.9-22.0.2.EL is currently running
        ovaloval:com.redhat.rhsa:tst:20060101015
      • commentkernel earlier than 0:2.6.9-22.0.2.EL is set to boot up on next boot
        ovaloval:com.redhat.rhsa:tst:20060101016
    • OR
      • AND
        • commentkernel-doc is earlier than 0:2.6.9-22.0.2.EL
          ovaloval:com.redhat.rhsa:tst:20060101001
        • commentkernel-doc is signed with Red Hat master key
          ovaloval:com.redhat.rhba:tst:20070304002
      • AND
        • commentkernel-devel is earlier than 0:2.6.9-22.0.2.EL
          ovaloval:com.redhat.rhsa:tst:20060101003
        • commentkernel-devel is signed with Red Hat master key
          ovaloval:com.redhat.rhba:tst:20070304016
      • AND
        • commentkernel is earlier than 0:2.6.9-22.0.2.EL
          ovaloval:com.redhat.rhsa:tst:20060101005
        • commentkernel is signed with Red Hat master key
          ovaloval:com.redhat.rhba:tst:20070304018
      • AND
        • commentkernel-smp-devel is earlier than 0:2.6.9-22.0.2.EL
          ovaloval:com.redhat.rhsa:tst:20060101007
        • commentkernel-smp-devel is signed with Red Hat master key
          ovaloval:com.redhat.rhba:tst:20070304012
      • AND
        • commentkernel-smp is earlier than 0:2.6.9-22.0.2.EL
          ovaloval:com.redhat.rhsa:tst:20060101009
        • commentkernel-smp is signed with Red Hat master key
          ovaloval:com.redhat.rhba:tst:20070304004
      • AND
        • commentkernel-hugemem-devel is earlier than 0:2.6.9-22.0.2.EL
          ovaloval:com.redhat.rhsa:tst:20060101011
        • commentkernel-hugemem-devel is signed with Red Hat master key
          ovaloval:com.redhat.rhba:tst:20070304022
      • AND
        • commentkernel-hugemem is earlier than 0:2.6.9-22.0.2.EL
          ovaloval:com.redhat.rhsa:tst:20060101013
        • commentkernel-hugemem is signed with Red Hat master key
          ovaloval:com.redhat.rhba:tst:20070304020
rhsa
idRHSA-2006:0101
released2006-01-17
severityImportant
titleRHSA-2006:0101: kernel security update (Important)
rpms
  • kernel-0:2.6.9-22.0.2.EL
  • kernel-debuginfo-0:2.6.9-22.0.2.EL
  • kernel-devel-0:2.6.9-22.0.2.EL
  • kernel-doc-0:2.6.9-22.0.2.EL
  • kernel-hugemem-0:2.6.9-22.0.2.EL
  • kernel-hugemem-devel-0:2.6.9-22.0.2.EL
  • kernel-smp-0:2.6.9-22.0.2.EL
  • kernel-smp-devel-0:2.6.9-22.0.2.EL

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:11992
    last seen2017-11-19
    modified2009-08-06
    published2009-08-06
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-11992
    titleLinux Kernel &lt; 2.6.14.6 procfs Kernel Memory Disclosure Exploit
  • bulletinFamilyexploit
    idSSV:66781
    last seen2018-07-03
    modified2014-07-01
    published2014-07-01
    reporterKnownsec
    sourcehttps://www.seebug.org/vuldb/ssvid-66781
    titleLinux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure Exploit