Vulnerabilities > CVE-2006-0741 - Denial of Service vulnerability in Linux Kernel ELF File Entry Point

047910
CVSS 1.2 - LOW
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
high complexity
linux
nessus

Summary

Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address."

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-131.NASL
    descriptionThis update rebases to the latest -stable release (2.6.15.5), which fixes a number of security problems. - sys_mbind failed to sanity check its arguments, leading to a potential local DoS. - A specially crafted ELF executable could cause Intel EM64T boxes to crash. (CVE-2006-0741) - Normal users could panic NFS clients with direct I/O (CVE-2006-0555) Further information on 2.6.15.5 changes can be found in the upstream changelog at http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 Further Fedora specific changes are detailed below. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20997
    published2006-03-06
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20997
    titleFedora Core 4 : kernel-2.6.15-1.1833_FC4 (2006-131)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2006-131.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20997);
      script_version ("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_cve_id("CVE-2006-0555", "CVE-2006-0741");
      script_xref(name:"FEDORA", value:"2006-131");
    
      script_name(english:"Fedora Core 4 : kernel-2.6.15-1.1833_FC4 (2006-131)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update rebases to the latest -stable release (2.6.15.5), which
    fixes a number of security problems.
    
      - sys_mbind failed to sanity check its arguments, leading
        to a potential local DoS.
    
      - A specially crafted ELF executable could cause Intel
        EM64T boxes to crash. (CVE-2006-0741)
    
      - Normal users could panic NFS clients with direct I/O
        (CVE-2006-0555)
    
    Further information on 2.6.15.5 changes can be found in the upstream
    changelog at
    http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5
    
    Further Fedora specific changes are detailed below.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5"
      );
      # https://lists.fedoraproject.org/pipermail/announce/2006-March/001849.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c0192bc9"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:4");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/03/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 4.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC4", reference:"kernel-2.6.15-1.1833_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-debuginfo-2.6.15-1.1833_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-devel-2.6.15-1.1833_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-doc-2.6.15-1.1833_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-smp-2.6.15-1.1833_FC4")) flag++;
    if (rpm_check(release:"FC4", reference:"kernel-smp-devel-2.6.15-1.1833_FC4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-devel / kernel-doc / kernel-smp / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1103.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3359 Franz Filz discovered that some socket calls permit causing inconsistent reference counts on loadable modules, which allows local users to cause a denial of service. - CVE-2006-0038
    last seen2020-06-01
    modified2020-06-02
    plugin id22645
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22645
    titleDebian DSA-1103-1 : kernel-source-2.6.8 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1103. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22645);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2005-3359", "CVE-2006-0038", "CVE-2006-0039", "CVE-2006-0456", "CVE-2006-0554", "CVE-2006-0555", "CVE-2006-0557", "CVE-2006-0558", "CVE-2006-0741", "CVE-2006-0742", "CVE-2006-0744", "CVE-2006-1056", "CVE-2006-1242", "CVE-2006-1368", "CVE-2006-1523", "CVE-2006-1524", "CVE-2006-1525", "CVE-2006-1857", "CVE-2006-1858", "CVE-2006-1863", "CVE-2006-1864", "CVE-2006-2271", "CVE-2006-2272", "CVE-2006-2274");
      script_xref(name:"DSA", value:"1103");
    
      script_name(english:"Debian DSA-1103-1 : kernel-source-2.6.8 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several local and remote vulnerabilities have been discovered in the
    Linux kernel that may lead to a denial of service or the execution of
    arbitrary code. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CVE-2005-3359
        Franz Filz discovered that some socket calls permit
        causing inconsistent reference counts on loadable
        modules, which allows local users to cause a denial of
        service.
    
      - CVE-2006-0038
        'Solar Designer' discovered that arithmetic computations
        in netfilter's do_replace() function can lead to a
        buffer overflow and the execution of arbitrary code.
        However, the operation requires CAP_NET_ADMIN
        privileges, which is only an issue in virtualization
        systems or fine grained access control systems.
    
      - CVE-2006-0039
        'Solar Designer' discovered a race condition in
        netfilter's do_add_counters() function, which allows
        information disclosure of kernel memory by exploiting a
        race condition. Likewise, it requires CAP_NET_ADMIN
        privileges. 
    
      - CVE-2006-0456
        David Howells discovered that the s390 assembly version
        of the strnlen_user() function incorrectly returns some
        string size values.
    
      - CVE-2006-0554
        It was discovered that the ftruncate() function of XFS
        can expose unallocated blocks, which allows information
        disclosure of previously deleted files.
    
      - CVE-2006-0555
        It was discovered that some NFS file operations on
        handles mounted with O_DIRECT can force the kernel into
        a crash.
    
      - CVE-2006-0557
        It was discovered that the code to configure memory
        policies allows tricking the kernel into a crash, thus
        allowing denial of service.
    
      - CVE-2006-0558
        It was discovered by Cliff Wickman that perfmon for the
        IA64 architecture allows users to trigger a BUG()
        assert, which allows denial of service.
    
      - CVE-2006-0741
        Intel EM64T systems were discovered to be susceptible to
        a local DoS due to an endless recursive fault related to
        a bad ELF entry address.
    
      - CVE-2006-0742
        Alan and Gareth discovered that the ia64 platform had an
        incorrectly declared die_if_kernel() function as 'does
        never return' which could be exploited by a local
        attacker resulting in a kernel crash.
    
      - CVE-2006-0744
        The Linux kernel did not properly handle uncanonical
        return addresses on Intel EM64T CPUs, reporting
        exceptions in the SYSRET instead of the next
        instruction, causing the kernel exception handler to run
        on the user stack with the wrong GS. This may result in
        a DoS due to a local user changing the frames.
    
      - CVE-2006-1056
        AMD64 machines (and other 7th and 8th generation
        AuthenticAMD processors) were found to be vulnerable to
        sensitive information leakage, due to how they handle
        saving and restoring the FOP, FIP, and FDP x87 registers
        in FXSAVE/FXRSTOR when an exception is pending. This
        allows a process to determine portions of the state of
        floating point instructions of other processes.
    
      - CVE-2006-1242
        Marco Ivaldi discovered that there was an unintended
        information disclosure allowing remote attackers to
        bypass protections against Idle Scans (nmap -sI) by
        abusing the ID field of IP packets and bypassing the
        zero IP ID in DF packet countermeasure. This was a
        result of the ip_push_pending_frames function improperly
        incremented the IP ID field when sending a RST after
        receiving unsolicited TCP SYN-ACK packets.
    
      - CVE-2006-1368
        Shaun Tancheff discovered a buffer overflow (boundary
        condition error) in the USB Gadget RNDIS implementation
        allowing remote attackers to cause a DoS. While creating
        a reply message, the driver allocated memory for the
        reply data, but not for the reply structure. The kernel
        fails to properly bounds-check user-supplied data before
        copying it to an insufficiently sized memory buffer.
        Attackers could crash the system, or possibly execute
        arbitrary machine code.
    
      - CVE-2006-1523
        Oleg Nesterov reported an unsafe BUG_ON call in signal.c
        which was introduced by RCU signal handling. The BUG_ON
        code is protected by siglock while the code in
        switch_exit_pids() uses tasklist_lock. It may be
        possible for local users to exploit this to initiate a
        denial of service attack (DoS).
    
      - CVE-2006-1524
        Hugh Dickins discovered an issue in the madvise_remove()
        function wherein file and mmap restrictions are not
        followed, allowing local users to bypass IPC permissions
        and replace portions of readonly tmpfs files with
        zeroes.
    
      - CVE-2006-1525
        Alexandra Kossovsky reported a NULL pointer dereference
        condition in ip_route_input() that can be triggered by a
        local user by requesting a route for a multicast IP
        address, resulting in a denial of service (panic).
    
      - CVE-2006-1857
        Vlad Yasevich reported a data validation issue in the
        SCTP subsystem that may allow a remote user to overflow
        a buffer using a badly formatted HB-ACK chunk, resulting
        in a denial of service.
    
      - CVE-2006-1858
        Vlad Yasevich reported a bug in the bounds checking code
        in the SCTP subsystem that may allow a remote attacker
        to trigger a denial of service attack when rounded
        parameter lengths are used to calculate parameter
        lengths instead of the actual values.
    
      - CVE-2006-1863
        Mark Mosely discovered that chroots residing on an CIFS
        share can be escaped with specially crafted 'cd'
        sequences.
    
      - CVE-2006-1864
        Mark Mosely discovered that chroots residing on an SMB
        share can be escaped with specially crafted 'cd'
        sequences.
    
      - CVE-2006-2271
        The 'Mu security team' discovered that carefully crafted
        ECNE chunks can cause a kernel crash by accessing
        incorrect state stable entries in the SCTP networking
        subsystem, which allows denial of service.
    
      - CVE-2006-2272
        The 'Mu security team' discovered that fragmented SCTP
        control chunks can trigger kernel panics, which allows
        for denial of service attacks.
    
      - CVE-2006-2274
        It was discovered that SCTP packets with two initial
        bundled data packets can lead to infinite recursion,
        which allows for denial of service attacks."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-3359"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0038"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0039"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0456"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0554"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0555"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0557"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0558"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0741"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0742"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0744"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1056"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1368"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1523"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1524"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1525"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1857"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1858"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1863"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1864"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-2271"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-2272"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-2274"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1103"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the kernel package immediately and reboot the machine. If you
    have built a custom kernel from the kernel source package, you will
    need to rebuild to take advantage of these fixes.
    
    The following matrix explains which kernel version for which
    architecture fix the problems mentioned above :
    
                                   Debian 3.1 (sarge)           
      Source                       2.6.8-16sarge3               
      Alpha architecture           2.6.8-16sarge3               
      HP Precision architecture    2.6.8-6sarge3                
      Intel IA-32 architecture     2.6.8-16sarge3               
      Intel IA-64 architecture     2.6.8-14sarge3               
      Motorola 680x0 architecture  2.6.8-4sarge3                
      PowerPC architecture         2.6.8-12sarge3               
      IBM S/390 architecture       2.6.8-5sarge3                
      Sun Sparc architecture       2.6.8-15sarge3               
    Due to technical problems the built amd64 packages couldn't be
    processed by the archive script. Once this problem is resolved, an
    updated DSA 1103-2 will be sent out with the checksums for amd64.
    
    The following matrix lists additional packages that were rebuilt for
    compatibility with or to take advantage of this update :
    
                          Debian 3.1 (sarge)  
      fai-kernels         1.9.1sarge2"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119, 189, 362);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kernel-source-2.6.8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"kernel-build-2.6.8-3", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-build-2.6.8-3-power3", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-build-2.6.8-3-power3-smp", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-build-2.6.8-3-power4", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-build-2.6.8-3-power4-smp", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-build-2.6.8-3-powerpc", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-build-2.6.8-3-powerpc-smp", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-doc-2.6.8", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6-itanium", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6-itanium-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6-mckinley", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6-mckinley-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-32", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-32-smp", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-386", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-64", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-64-smp", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-686", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-686-smp", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-generic", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-itanium", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-itanium-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-k7", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-k7-smp", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-mckinley", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-mckinley-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-smp", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-sparc32", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-sparc64", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-headers-2.6.8-3-sparc64-smp", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6-itanium", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6-itanium-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6-mckinley", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6-mckinley-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-32", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-32-smp", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-386", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-64", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-64-smp", reference:"2.6.8-6sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-686", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-686-smp", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-generic", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-itanium", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-itanium-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-k7", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-k7-smp", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-mckinley", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-mckinley-smp", reference:"2.6.8-14sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-power3", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-power3-smp", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-power4", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-power4-smp", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-powerpc", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-powerpc-smp", reference:"2.6.8-12sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-s390", reference:"2.6.8-5sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-s390-tape", reference:"2.6.8-5sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-s390x", reference:"2.6.8-5sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-smp", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-sparc32", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-sparc64", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-3-sparc64-smp", reference:"2.6.8-15sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-amiga", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-atari", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-bvme6000", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-hp", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-mac", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-mvme147", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-mvme16x", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-q40", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-image-2.6.8-sun3", reference:"2.6.8-4sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-patch-2.6.8-s390", reference:"2.6.8-5sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-patch-debian-2.6.8", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-source-2.6.8", reference:"2.6.8-16sarge3")) flag++;
    if (deb_check(release:"3.1", prefix:"kernel-tree-2.6.8", reference:"2.6.8-16sarge3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0437.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions : adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update : - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id22135
    published2006-08-04
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22135
    titleCentOS 3 : kernel (CESA-2006:0437)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2006:0437 and 
    # CentOS Errata and Security Advisory 2006:0437 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22135);
      script_version("1.19");
      script_cvs_date("Date: 2019/10/25 13:36:03");
    
      script_cve_id("CVE-2005-3055", "CVE-2005-3107", "CVE-2006-0741", "CVE-2006-0742", "CVE-2006-0744", "CVE-2006-1056", "CVE-2006-1242", "CVE-2006-1343", "CVE-2006-2444");
      script_bugtraq_id(17600, 18081);
      script_xref(name:"RHSA", value:"2006:0437");
    
      script_name(english:"CentOS 3 : kernel (CESA-2006:0437)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages are now available as part of ongoing support
    and maintenance of Red Hat Enterprise Linux version 3. This is the
    eighth regular update.
    
    This security advisory has been rated as having important security
    impact by the Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    This is the eighth regular kernel update to Red Hat Enterprise Linux
    3.
    
    New features introduced by this update include :
    
      - addition of the adp94xx and dcdbas device drivers -
        diskdump support on megaraid_sas, qlogic, and swap
        partitions - support for new hardware via driver and
        SCSI white-list updates
    
    There were many bug fixes in various parts of the kernel. The ongoing
    effort to resolve these problems has resulted in a marked improvement
    in the reliability and scalability of Red Hat Enterprise Linux 3.
    
    There were numerous driver updates and security fixes (elaborated
    below). Other key areas affected by fixes in this update include the
    networking subsystem, the NFS and autofs4 file systems, the SCSI and
    USB subsystems, and architecture-specific handling affecting AMD
    Opteron and Intel EM64T processors.
    
    The following device drivers have been added or upgraded to new
    versions :
    
    adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ----------
    2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2
    emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13
    qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH
    
    The following security bugs were fixed in this update :
    
      - a flaw in the USB devio handling of device removal that
        allowed a local user to cause a denial of service
        (crash) (CVE-2005-3055, moderate)
    
      - a flaw in the exec() handling of multi-threaded tasks
        using ptrace() that allowed a local user to cause a
        denial of service (hang of a user process)
        (CVE-2005-3107, low)
    
      - a difference in 'sysretq' operation of EM64T (as opposed
        to Opteron) processors that allowed a local user to
        cause a denial of service (crash) upon return from
        certain system calls (CVE-2006-0741 and CVE-2006-0744,
        important)
    
      - a flaw in unaligned accesses handling on Intel Itanium
        processors that allowed a local user to cause a denial
        of service (crash) (CVE-2006-0742, important)
    
      - an info leak on AMD-based x86 and x86_64 systems that
        allowed a local user to retrieve the floating point
        exception state of a process run by a different user
        (CVE-2006-1056, important)
    
      - a flaw in IPv4 packet output handling that allowed a
        remote user to bypass the zero IP ID countermeasure on
        systems with a disabled firewall (CVE-2006-1242, low)
    
      - a minor info leak in socket option handling in the
        network code (CVE-2006-1343, low)
    
      - a flaw in IPv4 netfilter handling for the unlikely use
        of SNMP NAT processing that allowed a remote user to
        cause a denial of service (crash) or potential memory
        corruption (CVE-2006-2444, moderate)
    
    Note: The kernel-unsupported package contains various drivers and
    modules that are unsupported and therefore might contain security
    problems that have not been addressed.
    
    All Red Hat Enterprise Linux 3 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-August/013097.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7f940410"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-August/013098.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b07bc7df"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-July/013053.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3720e2d6"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-BOOT");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-unsupported");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-unsupported");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-unsupported");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/08/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"kernel-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-BOOT-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"kernel-doc-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-hugemem-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-hugemem-unsupported-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-smp-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", cpu:"x86_64", reference:"kernel-smp-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-smp-unsupported-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", cpu:"x86_64", reference:"kernel-smp-unsupported-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"kernel-source-2.4.21-47.EL")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"kernel-unsupported-2.4.21-47.EL")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0493.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important) * a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate) * a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important) * a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important) * a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id21592
    published2006-05-24
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21592
    titleRHEL 4 : kernel (RHSA-2006:0493)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2006:0493. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21592);
      script_version ("1.25");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2005-2973", "CVE-2005-3272", "CVE-2005-3359", "CVE-2006-0555", "CVE-2006-0741", "CVE-2006-0744", "CVE-2006-1522", "CVE-2006-1525", "CVE-2006-1527", "CVE-2006-1528", "CVE-2006-1855", "CVE-2006-1856", "CVE-2006-1862", "CVE-2006-1864", "CVE-2006-2271", "CVE-2006-2272", "CVE-2006-2274");
      script_xref(name:"RHSA", value:"2006:0493");
    
      script_name(english:"RHEL 4 : kernel (RHSA-2006:0493)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix several security issues in the Red
    Hat Enterprise Linux 4 kernel are now available.
    
    This security advisory has been rated as having important security
    impact by the Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    These new kernel packages contain fixes for the security issues
    described below :
    
    * a flaw in the IPv6 implementation that allowed a local user to cause
    a denial of service (infinite loop and crash) (CVE-2005-2973,
    important)
    
    * a flaw in the bridge implementation that allowed a remote user to
    cause forwarding of spoofed packets via poisoning of the forwarding
    table with already dropped frames (CVE-2005-3272, moderate)
    
    * a flaw in the atm module that allowed a local user to cause a denial
    of service (panic) via certain socket calls (CVE-2005-3359, important)
    
    * a flaw in the NFS client implementation that allowed a local user to
    cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555,
    important)
    
    * a difference in 'sysretq' operation of EM64T (as opposed to Opteron)
    processors that allowed a local user to cause a denial of service
    (crash) upon return from certain system calls (CVE-2006-0741 and
    CVE-2006-0744, important)
    
    * a flaw in the keyring implementation that allowed a local user to
    cause a denial of service (OOPS) (CVE-2006-1522, important)
    
    * a flaw in IP routing implementation that allowed a local user to
    cause a denial of service (panic) via a request for a route for a
    multicast IP (CVE-2006-1525, important)
    
    * a flaw in the SCTP-netfilter implementation that allowed a remote
    user to cause a denial of service (infinite loop) (CVE-2006-1527,
    important)
    
    * a flaw in the sg driver that allowed a local user to cause a denial
    of service (crash) via a dio transfer to memory mapped (mmap) IO space
    (CVE-2006-1528, important)
    
    * a flaw in the threading implementation that allowed a local user to
    cause a denial of service (panic) (CVE-2006-1855, important)
    
    * two missing LSM hooks that allowed a local user to bypass the LSM by
    using readv() or writev() (CVE-2006-1856, moderate)
    
    * a flaw in the virtual memory implementation that allowed local user
    to cause a denial of service (panic) by using the lsof command
    (CVE-2006-1862, important)
    
    * a directory traversal vulnerability in smbfs that allowed a local
    user to escape chroot restrictions for an SMB-mounted filesystem via
    '..\\' sequences (CVE-2006-1864, moderate)
    
    * a flaw in the ECNE chunk handling of SCTP that allowed a remote user
    to cause a denial of service (panic) (CVE-2006-2271, moderate)
    
    * a flaw in the handling of COOKIE_ECHO and HEARTBEAT control chunks
    of SCTP that allowed a remote user to cause a denial of service
    (panic) (CVE-2006-2272, moderate)
    
    * a flaw in the handling of DATA fragments of SCTP that allowed a
    remote user to cause a denial of service (infinite recursion and
    crash) (CVE-2006-2274, moderate)
    
    All Red Hat Enterprise Linux 4 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-2973"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-3272"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-3359"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-0555"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-0741"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-0744"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1522"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1525"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1527"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1855"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1856"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1862"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1864"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-2271"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-2272"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-2274"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2006:0493"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_cwe_id(20);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-largesmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-largesmp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/05/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2005-2973", "CVE-2005-3272", "CVE-2005-3359", "CVE-2006-0555", "CVE-2006-0741", "CVE-2006-0744", "CVE-2006-1522", "CVE-2006-1525", "CVE-2006-1527", "CVE-2006-1528", "CVE-2006-1855", "CVE-2006-1856", "CVE-2006-1862", "CVE-2006-1864", "CVE-2006-2271", "CVE-2006-2272", "CVE-2006-2274");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2006:0493");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2006:0493";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL4", reference:"kernel-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", reference:"kernel-devel-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", reference:"kernel-doc-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-hugemem-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-hugemem-devel-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-smp-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-smp-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-smp-devel-2.6.9-34.0.1.EL")) flag++;
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-34.0.1.EL")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc");
      }
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-059.NASL
    descriptionA number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel : sysctl.c in the Linux kernel prior to 2.6.14.1 allows local users to cause a Denial of Service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table (CVE-2005-2709). Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). Note that this was previously partially corrected in MDKSA-2005:235. Prior to 2.6.14, the kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id21133
    published2006-03-23
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21133
    titleMandrake Linux Security Advisory : kernel (MDKSA-2006:059)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0493.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important) * a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate) * a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important) * a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important) * a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id21997
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21997
    titleCentOS 4 : kernel (CESA-2006:0493)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1097.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-0038
    last seen2020-06-01
    modified2020-06-02
    plugin id22639
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22639
    titleDebian DSA-1097-1 : kernel-source-2.4.27 - several vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-263-1.NASL
    descriptionA flaw was found in the module reference counting for loadable protocol modules of netfilter. By performing particular socket operations, a local attacker could exploit this to crash the kernel. This flaw only affects Ubuntu 5.10. (CVE-2005-3359) David Howells noticed a race condition in the add_key(), request_key() and keyctl() functions. By modifying the length of string arguments after the kernel determined their length, but before the kernel copied them into kernel memory, a local attacker could either crash the kernel or read random parts of kernel memory (which could potentially contain sensitive data). (CVE-2006-0457) An information disclosure vulnerability was discovered in the ftruncate() function for the XFS file system. Under certain conditions, this function could expose random unallocated blocks. A local user could potentially exploit this to recover sensitive data from previously deleted files. (CVE-2006-0554) A local Denial of Service vulnerability was found in the NFS client module. By opening a file on an NFS share with O_DIRECT and performing some special operations on it, a local attacker could trigger a kernel crash. (CVE-2006-0555) The ELF binary loader did not sufficiently verify some addresses in the ELF headers. By attempting to execute a specially crafted program, a local attacker could exploit this to trigger a recursive loop of kernel errors, which finally ended in a kernel crash. This only affects the amd64 architecture on Intel processors (EMT64). (CVE-2006-0741) The die_if_kernel() function was incorrectly declared as
    last seen2020-06-01
    modified2020-06-02
    plugin id21070
    published2006-03-13
    reporterUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21070
    titleUbuntu 4.10 / 5.04 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-263-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0437.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions : adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update : - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id22086
    published2006-07-21
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22086
    titleRHEL 3 : kernel (RHSA-2006:0437)

Oval

accepted2013-04-29T04:06:22.196-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionLinux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address."
familyunix
idoval:org.mitre.oval:def:10518
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleLinux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address."
version26

Redhat

advisories
  • rhsa
    idRHSA-2006:0437
  • rhsa
    idRHSA-2006:0493
rpms
  • kernel-0:2.4.21-47.EL
  • kernel-BOOT-0:2.4.21-47.EL
  • kernel-debuginfo-0:2.4.21-47.EL
  • kernel-doc-0:2.4.21-47.EL
  • kernel-hugemem-0:2.4.21-47.EL
  • kernel-hugemem-unsupported-0:2.4.21-47.EL
  • kernel-smp-0:2.4.21-47.EL
  • kernel-smp-unsupported-0:2.4.21-47.EL
  • kernel-source-0:2.4.21-47.EL
  • kernel-unsupported-0:2.4.21-47.EL
  • kernel-0:2.6.9-34.0.1.EL
  • kernel-debuginfo-0:2.6.9-34.0.1.EL
  • kernel-devel-0:2.6.9-34.0.1.EL
  • kernel-doc-0:2.6.9-34.0.1.EL
  • kernel-hugemem-0:2.6.9-34.0.1.EL
  • kernel-hugemem-devel-0:2.6.9-34.0.1.EL
  • kernel-largesmp-0:2.6.9-34.0.1.EL
  • kernel-largesmp-devel-0:2.6.9-34.0.1.EL
  • kernel-smp-0:2.6.9-34.0.1.EL
  • kernel-smp-devel-0:2.6.9-34.0.1.EL