Vulnerabilities > CVE-2006-0744 - Improper Input Validation vulnerability in Linux Kernel

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
linux
CWE-20
nessus
NVD
Published: 2006-04-18
Updated: 2024-11-21

Summary

Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.

Vulnerable Configurations

Part Description Count
OS
Linux
138

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-302-1.NASL
    descriptionAn integer overflow was discovered in the do_replace() function. A local user process with the CAP_NET_ADMIN capability could exploit this to execute arbitrary commands with full root privileges. However, none of Ubuntu
    last seen2020-06-01
    modified2020-06-02
    plugin id27877
    published2007-11-10
    reporterUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27877
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : linux-source-2.6.10/2.6.12/2.6.15 vulnerabilities (USN-302-1)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-302-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(27877);
  script_version("1.22");
  script_cvs_date("Date: 2019/08/02 13:33:00");

  script_cve_id("CVE-2006-0038", "CVE-2006-0744", "CVE-2006-1055", "CVE-2006-1056", "CVE-2006-1522", "CVE-2006-1527", "CVE-2006-1528", "CVE-2006-1855", "CVE-2006-1856", "CVE-2006-1857", "CVE-2006-1858", "CVE-2006-1859", "CVE-2006-1860", "CVE-2006-1863", "CVE-2006-1864", "CVE-2006-2071", "CVE-2006-2271", "CVE-2006-2272", "CVE-2006-2274", "CVE-2006-2275", "CVE-2006-2444");
  script_bugtraq_id(17600, 18081);
  script_xref(name:"USN", value:"302-1");

  script_name(english:"Ubuntu 5.04 / 5.10 / 6.06 LTS : linux-source-2.6.10/2.6.12/2.6.15 vulnerabilities (USN-302-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An integer overflow was discovered in the do_replace() function. A
local user process with the CAP_NET_ADMIN capability could exploit
this to execute arbitrary commands with full root privileges. However,
none of Ubuntu's supported packages use this capability with any
non-root user, so this only affects you if you use some third party
software like the OpenVZ virtualization system. (CVE-2006-0038)

On EMT64 CPUs, the kernel did not properly handle uncanonical return
addresses. A local user could exploit this to trigger a kernel crash.
(CVE-2006-0744)

Al Viro discovered a local Denial of Service in the sysfs write buffer
handling. By writing a block with a length exactly equal to the
processor's page size to any writable file in /sys, a local attacker
could cause a kernel crash. (CVE-2006-1055)

Jan Beulich discovered an information leak in the handling of
registers for the numeric coprocessor when running on AMD processors.
This allowed processes to see the coprocessor execution state of other
processes, which could reveal sensitive data in the case of
cryptographic computations. (CVE-2006-1056)

Marcel Holtmann discovered that the sys_add_key() did not check that a
new user key is added to a proper keyring. By attempting to add a key
to a normal user key (which is not a keyring), a local attacker could
exploit this to crash the kernel. (CVE-2006-1522)

Ingo Molnar discovered that the SCTP protocol connection tracking
module in netfilter got stuck in an infinite loop on certain empty
packet chunks. A remote attacker could exploit this to cause the
computer to hang. (CVE-2006-1527)

The SCSI I/O driver did not correctly handle the VM_IO flag for memory
mapped pages used for data transfer. A local user could exploit this
to cause a kernel crash. (CVE-2006-1528)

The choose_new_parent() contained obsolete debugging code. A local
user could exploit this to cause a kernel crash. (CVE-2006-1855)

Kostik Belousov discovered that the readv() and writev() functions did
not query LSM modules for access permission. This could be exploited
to circumvent access restrictions defined by LSM modules such as
SELinux or AppArmor. (CVE-2006-1856)

The SCTP driver did not properly verify certain parameters when
receiving a HB-ACK chunk. By sending a specially crafted packet to an
SCTP socket, a remote attacker could exploit this to trigger a buffer
overflow, which could lead to a crash or possibly even arbitrary code
execution. (CVE-2006-1857)

The sctp_walk_params() function in the SCTP driver incorrectly used
rounded values for bounds checking instead of the precise values. By
sending a specially crafted packet to an SCTP socket, a remote
attacker could exploit this to crash the kernel. (CVE-2006-1858)

Bjoern Steinbrink reported a memory leak in the __setlease() function.
A local attacker could exploit this to exhaust kernel memory and
render the computer unusable (Denial of Service). (CVE-2006-1859)

Daniel Hokka Zakrisson discovered that the lease_init() did not
properly handle locking. A local attacker could exploit this to cause
a kernel deadlock (Denial of Service). (CVE-2006-1860)

Mark Moseley discovered that the CIFS file system driver did not
filter out '..\\' path components. A local attacker could exploit this
to break out of a chroot environment on a mounted SMB share.
(CVE-2006-1863) The same vulnerability applies to the older smb file
system. (CVE-2006-1864)

Hugh Dickins discovered that the mprotect() function allowed an user
to change a read-only shared memory attachment to become writable,
which bypasses IPC (inter-process communication) permissions.
(CVE-2006-2071)

The SCTP (Stream Control Transmission Protocol) driver triggered a
kernel panic on unexpected packets while the session was in the CLOSED
state, instead of silently ignoring the packets. A remote attacker
could exploit this to crash the computer. (CVE-2006-2271)

The SCTP driver did not handle control chunks if they arrived in
fragmented packets. By sending specially crafted packets to an SCTP
socket, a remote attacker could exploit this to crash the target
machine. (CVE-2006-2272)

The SCTP driver did not correctly handle packets containing more than
one DATA fragment. By sending specially crafted packets to an SCTP
socket, a remote attacker could exploit this to crash the target
machine. (CVE-2006-2274)

The SCTP driver did not correcly buffer incoming packets. By sending a
large number of small messages to a receiver application that cannot
process the messages quickly enough, a remote attacker could exploit
this to cause a deadlock in the target machine (Denial of Service).
(CVE-2006-2275)

Patrick McHardy discovered that the snmp_trap_decode() function did
not correctly handle memory allocation in some error conditions. By
sending specially crafted packets to a machine which uses the SNMP
network address translation (NAT), a remote attacker could exploit
this to crash that machine. (CVE-2006-2444)

In addition, the Ubuntu 6.06 LTS update fixes a range of bugs.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/302-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 119, 189);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:avm-fritz-firmware");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:avm-fritz-firmware-2.6.15-25");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:avm-fritz-kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:fglrx-control");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:fglrx-kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-686-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-amd64-k8-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-amd64-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.12");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.15");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-amd64-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-amd64-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-patch-ubuntu-2.6.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-patch-ubuntu-2.6.12");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-2.6-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-2.6-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-2.6-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-2.6-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-2.6-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-restricted-modules-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.12");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.15");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.12");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-glx");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-glx-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-glx-legacy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-glx-legacy-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-legacy-kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:xorg-driver-fglrx");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:xorg-driver-fglrx-dev");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/06/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(5\.04|5\.10|6\.06)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.04 / 5.10 / 6.06", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2006-0038", "CVE-2006-0744", "CVE-2006-1055", "CVE-2006-1056", "CVE-2006-1522", "CVE-2006-1527", "CVE-2006-1528", "CVE-2006-1855", "CVE-2006-1856", "CVE-2006-1857", "CVE-2006-1858", "CVE-2006-1859", "CVE-2006-1860", "CVE-2006-1863", "CVE-2006-1864", "CVE-2006-2071", "CVE-2006-2271", "CVE-2006-2272", "CVE-2006-2274", "CVE-2006-2275", "CVE-2006-2444");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-302-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"5.04", pkgname:"linux-doc-2.6.10", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6-386", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6-686", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6-686-smp", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6-amd64-generic", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6-amd64-k8", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6-amd64-k8-smp", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-headers-2.6.10-6-amd64-xeon", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-image-2.6.10-6-386", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-image-2.6.10-6-686", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-image-2.6.10-6-686-smp", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-image-2.6.10-6-amd64-generic", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-image-2.6.10-6-amd64-k8", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-image-2.6.10-6-amd64-k8-smp", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-image-2.6.10-6-amd64-xeon", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-patch-ubuntu-2.6.10", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-source-2.6.10", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"linux-tree-2.6.10", pkgver:"2.6.10-34.20")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-doc-2.6.12", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-386", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-686", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-686-smp", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-generic", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-k8", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-k8-smp", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-xeon", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-386", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-686", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-686-smp", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-generic", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-k8", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-k8-smp", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-xeon", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-patch-ubuntu-2.6.12", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-source-2.6.12", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"linux-tree-2.6.12", pkgver:"2.6.12-10.34")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"avm-fritz-firmware", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"avm-fritz-firmware-2.6.15-25", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"avm-fritz-kernel-source", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"fglrx-control", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"fglrx-kernel-source", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-386", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-686", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-686-smp", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-amd64-generic", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-amd64-k8", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-amd64-k8-smp", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-amd64-server", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-amd64-xeon", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-doc", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-doc-2.6.15", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25-386", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25-686", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25-amd64-generic", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25-amd64-k8", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25-amd64-server", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25-amd64-xeon", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-25-server", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-386", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-686", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-amd64-generic", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-amd64-k8", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-amd64-server", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-amd64-xeon", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-server", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-25-386", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-25-686", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-25-amd64-generic", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-25-amd64-k8", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-25-amd64-server", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-25-amd64-xeon", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-25-server", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-386", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-686", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-amd64-generic", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-amd64-k8", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-amd64-server", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-amd64-xeon", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-server", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-kernel-devel", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-2.6.15-25-386", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-2.6.15-25-686", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-2.6.15-25-amd64-generic", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-2.6.15-25-amd64-k8", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-2.6.15-25-amd64-xeon", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-386", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-686", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-amd64-generic", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-amd64-k8", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-amd64-xeon", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-restricted-modules-common", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-server", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-source", pkgver:"2.6.15.23")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-source-2.6.15", pkgver:"2.6.15-25.43")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"nvidia-glx", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"nvidia-glx-dev", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"nvidia-glx-legacy", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"nvidia-glx-legacy-dev", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"nvidia-kernel-source", pkgver:"1.0.8762+2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"nvidia-legacy-kernel-source", pkgver:"1.0.7174+2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"xorg-driver-fglrx", pkgver:"2.6.15.11-2")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"xorg-driver-fglrx-dev", pkgver:"2.6.15.11-2")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "avm-fritz-firmware / avm-fritz-firmware-2.6.15-25 / etc");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-423.NASL
    descriptionThis update includes a number of security issues that have been fixed upstream over the last week or so. i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056) ip_route_input panic fix (CVE-2006-1525) fix MADV_REMOVE vulnerability (CVE-2006-1524) shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524) Fix MPBL0010 driver insecure sysfs permissions x86_64: When user could have changed RIP always force IRET (CVE-2006-0744) Fix RCU signal handling Keys: Fix oops when adding key to non-keyring (CVE-2006-1522) sysfs: zero terminate sysfs write buffers (CVE-2006-1055) It also includes various other fixes from the -stable tree. Full changelogs are available from : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.9 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.7 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.5 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.4 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.3 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21253
    published2006-04-21
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21253
    titleFedora Core 4 : kernel-2.6.16-1.2096_FC4 (2006-423)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1103.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3359 Franz Filz discovered that some socket calls permit causing inconsistent reference counts on loadable modules, which allows local users to cause a denial of service. - CVE-2006-0038
    last seen2020-06-01
    modified2020-06-02
    plugin id22645
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22645
    titleDebian DSA-1103-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2012-0021.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86-64: detect processors subject to AMD erratum #121 and refuse to boot(CVE-2006-0744) - guest denial of service on syscall/sysenter exception generation (CVE-2012-0217),(CVE-2012-0218) - Remove unnecessary balloon retries on vm create. This is a backport from fix for bug 14143327.
    last seen2020-06-01
    modified2020-06-02
    plugin id79477
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79477
    titleOracleVM 3.1 : xen (OVMSA-2012-0021)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-421.NASL
    descriptionThis update includes a number of security issues that have been fixed upstream over the last week or so. i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056) ip_route_input panic fix (CVE-2006-1525) fix MADV_REMOVE vulnerability (CVE-2006-1524) shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524) Fix MPBL0010 driver insecure sysfs permissions x86_64: When user could have changed RIP always force IRET (CVE-2006-0744) Fix RCU signal handling Keys: Fix oops when adding key to non-keyring (CVE-2006-1522) sysfs: zero terminate sysfs write buffers (CVE-2006-1055) It also includes various other fixes from the -stable tree. Full changelogs are available from : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.9 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.7 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.5 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.4 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.3 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21252
    published2006-04-21
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21252
    titleFedora Core 5 : kernel-2.6.16-1.2096_FC5 (2006-421)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0437.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions : adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update : - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id22135
    published2006-08-04
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22135
    titleCentOS 3 : kernel (CESA-2006:0437)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-086.NASL
    descriptionA number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel : Prior to Linux kernel 2.6.16.5, the kernel does not properly handle uncanonical return addresses on Intel EM64T CPUs which causes the kernel exception handler to run on the user stack with the wrong GS (CVE-2006-0744). The selinux_ptrace logic hooks in SELinux for 2.6.6 allow local users with ptrace permissions to change the tracer SID to an SID of another process (CVE-2006-1052). Prior to 2.6.16, the ip_push_pending_frames function increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows a remote attacker to conduct an idle scan attack, bypassing any intended protection against such an attack (CVE-2006-1242). In kernel 2.6.16.1 and some earlier versions, the sys_add_key function in the keyring code allows local users to cause a DoS (OOPS) via keyctl requests that add a key to a user key instead of a keyring key, causing an invalid dereference (CVE-2006-1522). Prior to 2.6.16.8, the ip_route_input function allows local users to cause a DoS (panic) via a request for a route for a multicast IP address, which triggers a null dereference (CVE-2006-1525). Prior to 2.6.16.13, the SCTP-netfilter code allows remote attackers to cause a DoS (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed (CVE-2006-1527). Prior to 2.6.16, local users can bypass IPC permissions and modify a read-only attachment of shared memory by using mprotect to give write permission to the attachment (CVE-2006-2071). Prior to 2.6.17, the ECNE chunk handling in SCTP (lksctp) allows remote attackers to cause a DoS (kernel panic) via an unexpected chucnk when the session is in CLOSED state (CVE-2006-2271). Prior to 2.6.17, SCTP (lksctp) allows remote attacker to cause a DoS (kernel panic) via incoming IP fragmented COOKIE_ECHO and HEARTBEAT SCTP control chunks (CVE-2006-2272). In addition to these security fixes, other fixes have been included such as : - fix a scheduler deadlock - Yenta oops fix - ftdi_sio: adds support for iPlus devices - enable kprobes on i386 and x86_64 - avoid a panic on bind mount of autofs owned directory - fix a kernel OOPs when booting with
    last seen2020-06-01
    modified2020-06-02
    plugin id21575
    published2006-05-19
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21575
    titleMandrake Linux Security Advisory : kernel (MDKSA-2006:086)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0493.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important) * a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate) * a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important) * a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important) * a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id21592
    published2006-05-24
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21592
    titleRHEL 4 : kernel (RHSA-2006:0493)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2012-0020.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86-64: detect processors subject to AMD erratum #121 and refuse to boot(CVE-2006-0744) - guest denial of service on syscall/sysenter exception generation (CVE-2012-0217) - Remove unnecessary balloon retries on vm create. This is a backport from fix for bug 14143327. - This backport from 3.1.1: Author: amisherf Put back the patch that prevent older guest that uses kudzu from hanging on a reboot. Fixed the patch to prevent excessive watcher writes which causes xend, xenstored to run at a 100% cpu usage. Now the watch is written only if console in Initialising, InitWait, Initialised states which happen once at boot time. [bug 13523487] - Backport from upstream changeset 20968 xend: notify xenpv device model that console info is ready Sometimes PV domain with vfb doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id79476
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79476
    titleOracleVM 3.0 : xen (OVMSA-2012-0020)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0493.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important) * a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate) * a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important) * a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important) * a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id21997
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21997
    titleCentOS 4 : kernel (CESA-2006:0493)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0437.NASL
    descriptionUpdated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions : adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update : - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in
    last seen2020-06-01
    modified2020-06-02
    plugin id22086
    published2006-07-21
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22086
    titleRHEL 3 : kernel (RHSA-2006:0437)

Oval

accepted2013-04-29T04:21:42.130-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionLinux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.
familyunix
idoval:org.mitre.oval:def:9732
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleLinux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.
version26

Redhat

advisories
  • rhsa
    idRHSA-2006:0437
  • rhsa
    idRHSA-2006:0493
rpms
  • kernel-0:2.4.21-47.EL
  • kernel-BOOT-0:2.4.21-47.EL
  • kernel-debuginfo-0:2.4.21-47.EL
  • kernel-doc-0:2.4.21-47.EL
  • kernel-hugemem-0:2.4.21-47.EL
  • kernel-hugemem-unsupported-0:2.4.21-47.EL
  • kernel-smp-0:2.4.21-47.EL
  • kernel-smp-unsupported-0:2.4.21-47.EL
  • kernel-source-0:2.4.21-47.EL
  • kernel-unsupported-0:2.4.21-47.EL
  • kernel-0:2.6.9-34.0.1.EL
  • kernel-debuginfo-0:2.6.9-34.0.1.EL
  • kernel-devel-0:2.6.9-34.0.1.EL
  • kernel-doc-0:2.6.9-34.0.1.EL
  • kernel-hugemem-0:2.6.9-34.0.1.EL
  • kernel-hugemem-devel-0:2.6.9-34.0.1.EL
  • kernel-largesmp-0:2.6.9-34.0.1.EL
  • kernel-largesmp-devel-0:2.6.9-34.0.1.EL
  • kernel-smp-0:2.6.9-34.0.1.EL
  • kernel-smp-devel-0:2.6.9-34.0.1.EL

References