Vulnerabilities > CVE-2006-5158 - Improper Locking vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
linux
redhat
canonical
CWE-667
nessus

Summary

The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock.

Vulnerable Configurations

Part Description Count
OS
Linux
655
OS
Redhat
4
OS
Canonical
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Race Conditions via Symbolic Links
    This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0488.NASL
    descriptionUpdated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn
    last seen2020-06-01
    modified2020-06-02
    plugin id25605
    published2007-06-27
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25605
    titleRHEL 4 : kernel (RHSA-2007:0488)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2007:0488. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25605);
      script_version ("1.27");
      script_cvs_date("Date: 2019/10/25 13:36:12");
    
      script_cve_id("CVE-2006-5158", "CVE-2006-7203", "CVE-2007-0773", "CVE-2007-0958", "CVE-2007-1353", "CVE-2007-2172", "CVE-2007-2525", "CVE-2007-2876", "CVE-2007-3104");
      script_bugtraq_id(23870, 24376, 24631);
      script_xref(name:"RHSA", value:"2007:0488");
    
      script_name(english:"RHEL 4 : kernel (RHSA-2007:0488)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix several security issues and bugs in
    the Red Hat Enterprise Linux 4 kernel are now available.
    
    This security advisory has been rated as having important security
    impact by the Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    These new kernel packages contain fixes for the security issues
    described below :
    
    * a flaw in the connection tracking support for SCTP that allowed a
    remote user to cause a denial of service by dereferencing a NULL
    pointer. (CVE-2007-2876, Important)
    
    * a flaw in the mount handling routine for 64-bit systems that allowed
    a local user to cause denial of service (crash). (CVE-2006-7203,
    Important)
    
    * a flaw in the IPv4 forwarding base that allowed a local user to
    cause an out-of-bounds access. (CVE-2007-2172, Important)
    
    * a flaw in the PPP over Ethernet implementation that allowed a local
    user to cause a denial of service (memory consumption) by creating a
    socket using connect and then releasing it before the PPPIOCGCHAN
    ioctl has been called. (CVE-2007-2525, Important)
    
    * a flaw in the fput ioctl handling of 32-bit applications running on
    64-bit platforms that allowed a local user to cause a denial of
    service (panic). (CVE-2007-0773, Important)
    
    * a flaw in the NFS locking daemon that allowed a local user to cause
    denial of service (deadlock). (CVE-2006-5158, Moderate)
    
    * a flaw in the sysfs_readdir function that allowed a local user to
    cause a denial of service by dereferencing a NULL pointer.
    (CVE-2007-3104, Moderate)
    
    * a flaw in the core-dump handling that allowed a local user to create
    core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958,
    Low)
    
    * a flaw in the Bluetooth subsystem that allowed a local user to
    trigger an information leak. (CVE-2007-1353, Low)
    
    In addition, the following bugs were addressed :
    
    * the NFS could recurse on the same spinlock. Also, NFS, under certain
    conditions, did not completely clean up Posix locks on a file close,
    leading to mount failures.
    
    * the 32bit compatibility didn't return to userspace correct values
    for the rt_sigtimedwait system call.
    
    * the count for unused inodes could be incorrect at times, resulting
    in dirty data not being written to disk in a timely manner.
    
    * the cciss driver had an incorrect disk size calculation (off-by-one
    error) which prevented disk dumps.
    
    Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux
    kernel team for reporting issues fixed in this erratum.
    
    All Red Hat Enterprise Linux 4 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-5158"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-7203"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0773"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-0958"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-1353"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-2172"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-2525"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-2876"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-3104"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2007:0488"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-largesmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-largesmp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xenU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xenU-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2006-5158", "CVE-2006-7203", "CVE-2007-0773", "CVE-2007-0958", "CVE-2007-1353", "CVE-2007-2172", "CVE-2007-2525", "CVE-2007-2876", "CVE-2007-3104");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2007:0488");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2007:0488";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL4", reference:"kernel-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"kernel-devel-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"kernel-doc-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-hugemem-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-hugemem-devel-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-smp-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-smp-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-smp-devel-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-xenU-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-xenU-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-xenU-devel-2.6.9-55.0.2.EL")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-xenU-devel-2.6.9-55.0.2.EL")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0488.NASL
    descriptionUpdated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn
    last seen2020-06-01
    modified2020-06-02
    plugin id25575
    published2007-06-27
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25575
    titleCentOS 4 : kernel (CESA-2007:0488)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2007:0488 and 
    # CentOS Errata and Security Advisory 2007:0488 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25575);
      script_version("1.19");
      script_cvs_date("Date: 2019/10/25 13:36:03");
    
      script_cve_id("CVE-2006-5158", "CVE-2006-7203", "CVE-2007-0773", "CVE-2007-0958", "CVE-2007-1353", "CVE-2007-2172", "CVE-2007-2525", "CVE-2007-2876", "CVE-2007-3104");
      script_bugtraq_id(23870, 24376, 24631);
      script_xref(name:"RHSA", value:"2007:0488");
    
      script_name(english:"CentOS 4 : kernel (CESA-2007:0488)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix several security issues and bugs in
    the Red Hat Enterprise Linux 4 kernel are now available.
    
    This security advisory has been rated as having important security
    impact by the Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    These new kernel packages contain fixes for the security issues
    described below :
    
    * a flaw in the connection tracking support for SCTP that allowed a
    remote user to cause a denial of service by dereferencing a NULL
    pointer. (CVE-2007-2876, Important)
    
    * a flaw in the mount handling routine for 64-bit systems that allowed
    a local user to cause denial of service (crash). (CVE-2006-7203,
    Important)
    
    * a flaw in the IPv4 forwarding base that allowed a local user to
    cause an out-of-bounds access. (CVE-2007-2172, Important)
    
    * a flaw in the PPP over Ethernet implementation that allowed a local
    user to cause a denial of service (memory consumption) by creating a
    socket using connect and then releasing it before the PPPIOCGCHAN
    ioctl has been called. (CVE-2007-2525, Important)
    
    * a flaw in the fput ioctl handling of 32-bit applications running on
    64-bit platforms that allowed a local user to cause a denial of
    service (panic). (CVE-2007-0773, Important)
    
    * a flaw in the NFS locking daemon that allowed a local user to cause
    denial of service (deadlock). (CVE-2006-5158, Moderate)
    
    * a flaw in the sysfs_readdir function that allowed a local user to
    cause a denial of service by dereferencing a NULL pointer.
    (CVE-2007-3104, Moderate)
    
    * a flaw in the core-dump handling that allowed a local user to create
    core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958,
    Low)
    
    * a flaw in the Bluetooth subsystem that allowed a local user to
    trigger an information leak. (CVE-2007-1353, Low)
    
    In addition, the following bugs were addressed :
    
    * the NFS could recurse on the same spinlock. Also, NFS, under certain
    conditions, did not completely clean up Posix locks on a file close,
    leading to mount failures.
    
    * the 32bit compatibility didn't return to userspace correct values
    for the rt_sigtimedwait system call.
    
    * the count for unused inodes could be incorrect at times, resulting
    in dirty data not being written to disk in a timely manner.
    
    * the cciss driver had an incorrect disk size calculation (off-by-one
    error) which prevented disk dumps.
    
    Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux
    kernel team for reporting issues fixed in this erratum.
    
    All Red Hat Enterprise Linux 4 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-June/013980.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4473df7d"
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-June/013981.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?060b053f"
      );
      # https://lists.centos.org/pipermail/centos-announce/2007-June/014010.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5408e7ae"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-largesmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-largesmp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xenU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xenU-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/06/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-4", reference:"kernel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"kernel-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-doc-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-doc-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"kernel-largesmp-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"kernel-largesmp-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-xenU-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-xenU-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-xenU-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-xenU-devel-2.6.9-55.0.2.EL")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20070625_KERNEL_ON_SL4_X.NASL
    descriptionThese new kernel packages contain fixes for the security issues described below : - a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) - a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) - a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) - a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) - a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) - a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) - a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) - a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) - a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : - the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. - the 32bit compatibility didn
    last seen2020-06-01
    modified2020-06-02
    plugin id60215
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60215
    titleScientific Linux Security Update : kernel on SL4.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60215);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:17");
    
      script_cve_id("CVE-2006-5158", "CVE-2006-7203", "CVE-2007-0773", "CVE-2007-0958", "CVE-2007-1353", "CVE-2007-2172", "CVE-2007-2525", "CVE-2007-2876", "CVE-2007-3104");
    
      script_name(english:"Scientific Linux Security Update : kernel on SL4.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "These new kernel packages contain fixes for the security issues
    described below :
    
      - a flaw in the connection tracking support for SCTP that
        allowed a remote user to cause a denial of service by
        dereferencing a NULL pointer. (CVE-2007-2876, Important)
    
      - a flaw in the mount handling routine for 64-bit systems
        that allowed a local user to cause denial of service
        (crash). (CVE-2006-7203, Important)
    
      - a flaw in the IPv4 forwarding base that allowed a local
        user to cause an out-of-bounds access. (CVE-2007-2172,
        Important)
    
      - a flaw in the PPP over Ethernet implementation that
        allowed a local user to cause a denial of service
        (memory consumption) by creating a socket using connect
        and then releasing it before the PPPIOCGCHAN ioctl has
        been called. (CVE-2007-2525, Important)
    
      - a flaw in the fput ioctl handling of 32-bit applications
        running on 64-bit platforms that allowed a local user to
        cause a denial of service (panic). (CVE-2007-0773,
        Important)
    
      - a flaw in the NFS locking daemon that allowed a local
        user to cause denial of service (deadlock).
        (CVE-2006-5158, Moderate)
    
      - a flaw in the sysfs_readdir function that allowed a
        local user to cause a denial of service by dereferencing
        a NULL pointer. (CVE-2007-3104, Moderate)
    
      - a flaw in the core-dump handling that allowed a local
        user to create core dumps from unreadable binaries via
        PT_INTERP. (CVE-2007-0958, Low)
    
      - a flaw in the Bluetooth subsystem that allowed a local
        user to trigger an information leak. (CVE-2007-1353,
        Low)
    
    In addition, the following bugs were addressed :
    
      - the NFS could recurse on the same spinlock. Also, NFS,
        under certain conditions, did not completely clean up
        Posix locks on a file close, leading to mount failures.
    
      - the 32bit compatibility didn't return to userspace
        correct values for the rt_sigtimedwait system call.
    
      - the count for unused inodes could be incorrect at times,
        resulting in dirty data not being written to disk in a
        timely manner.
    
      - the cciss driver had an incorrect disk size calculation
        (off-by-one error) which prevented disk dumps.
    
    NOTE1: From The Upstream Vendors release notes 'During PCI probing,
    Red Hat Enterprise Linux 4 Update 5 attempts to use information
    obtained from MCFG (memory-mapped PCI configuration space). On
    AMD-systems, this type of access does not work on some buses, as the
    kernel cannot parse the MCFG table.
    
    To work around this, add the parameter pci=conf1 or pci=nommconf on
    the kernel boot line in /etc/grub.conf. For example :
    
    title Red Hat Enterprise Linux AS (2.6.9-42.0.2.EL) root (hd0,0)
    kernel /vmlinuz-2.6.9-42.0.2.EL ro root=/dev/VolGroup00/LogVol00 rhgb
    quiet pci=conf1 initrd /initrd-2.6.9-42.0.2.EL.img
    
    Doing this instructs the kernel to use PCI Conf1 access instead of
    MCFG-based access.'
    
    NOTE2: From The Upstream Vendors Knowledge Base 'Why did the ordering
    of my NIC devices change in Red Hat Enterprise Linux 4.5?
    
    The 2.6.9-55 version of the Red Hat Enterprise Linux 4 kernel (Update
    5) reverts to the 2.4 ordering of network interface cards (NICs) on
    certain systems. Note that if the 'HWADDR=MAC ADDRESS' line is present
    in the /etc/sysconfig/network-scripts/ifcfg-ethX files, the NIC
    ordering will not change.
    
    To restore the original 2.6 ordering, which is different from the 2.4
    ordering, boot with the option pci=nobfsort '"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0706&L=scientific-linux-errata&T=0&P=4280
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?06defb2b"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL4", reference:"kernel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", reference:"kernel-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", reference:"kernel-doc-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", cpu:"i386", reference:"kernel-hugemem-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", reference:"kernel-smp-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", reference:"kernel-smp-devel-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", reference:"kernel-xenU-2.6.9-55.0.2.EL")) flag++;
    if (rpm_check(release:"SL4", reference:"kernel-xenU-devel-2.6.9-55.0.2.EL")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-012.NASL
    descriptionSome vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The __block_prepate_write function in the 2.6 kernel before 2.6.13 does not properly clear buffers during certain error conditions, which allows users to read portions of files that have been unlinked (CVE-2006-4813). The clip_mkip function of the ATM subsystem in the 2.6 kernel allows remote attackers to dause a DoS (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (CVE-2006-4997). The NFS lockd in the 2.6 kernel before 2.6.16 allows remote attackers to cause a DoS (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops and a deadlock (CVE-2006-5158). The seqfile handling in the 2.6 kernel up to 2.6.18 allows local users to cause a DoS (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels (CVE-2006-5619). A missing call to init_timer() in the isdn_ppp code of the Linux kernel can allow remote attackers to send a special kind of PPP pakcet which may trigger a kernel oops (CVE-2006-5749). An integer overflow in the 2.6 kernel prior to 2.6.18.4 could allow a local user to execute arbitrary code via a large maxnum value in an ioctl request (CVE-2006-5751). A race condition in the ISO9660 filesystem handling could allow a local user to cause a DoS (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures (CVE-2006-5757). A vulnerability in the bluetooth support could allow for overwriting internal CMTP and CAPI data structures via malformed packets (CVE-2006-6106). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as : - __bread oops fix - added e1000_ng (nineveh support) - added sata_svw (Broadcom SATA support) - added Marvell PATA chipset support - disabled mmconf on some broken hardware/BIOSes - use GENERICARCH and enable bigsmp apic model for tulsa machines To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen2020-06-01
    modified2020-06-02
    plugin id24628
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24628
    titleMandrake Linux Security Advisory : kernel (MDKSA-2007:012)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2007:012. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24628);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2006-4813", "CVE-2006-4997", "CVE-2006-5158", "CVE-2006-5619", "CVE-2006-5749", "CVE-2006-5751", "CVE-2006-5757", "CVE-2006-6106");
      script_bugtraq_id(20363, 20847, 20920, 21353, 21522, 21604, 21835);
      script_xref(name:"MDKSA", value:"2007:012");
    
      script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2007:012)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Some vulnerabilities were discovered and corrected in the Linux 2.6
    kernel :
    
    The __block_prepate_write function in the 2.6 kernel before 2.6.13
    does not properly clear buffers during certain error conditions, which
    allows users to read portions of files that have been unlinked
    (CVE-2006-4813).
    
    The clip_mkip function of the ATM subsystem in the 2.6 kernel allows
    remote attackers to dause a DoS (panic) via unknown vectors that cause
    the ATM subsystem to access the memory of socket buffers after they
    are freed (CVE-2006-4997).
    
    The NFS lockd in the 2.6 kernel before 2.6.16 allows remote attackers
    to cause a DoS (process crash) and deny access to NFS exports via
    unspecified vectors that trigger a kernel oops and a deadlock
    (CVE-2006-5158).
    
    The seqfile handling in the 2.6 kernel up to 2.6.18 allows local users
    to cause a DoS (hang or oops) via unspecified manipulations that
    trigger an infinite loop while searching for flowlabels
    (CVE-2006-5619).
    
    A missing call to init_timer() in the isdn_ppp code of the Linux
    kernel can allow remote attackers to send a special kind of PPP pakcet
    which may trigger a kernel oops (CVE-2006-5749).
    
    An integer overflow in the 2.6 kernel prior to 2.6.18.4 could allow a
    local user to execute arbitrary code via a large maxnum value in an
    ioctl request (CVE-2006-5751).
    
    A race condition in the ISO9660 filesystem handling could allow a
    local user to cause a DoS (infinite loop) by mounting a crafted
    ISO9660 filesystem containing malformed data structures
    (CVE-2006-5757).
    
    A vulnerability in the bluetooth support could allow for overwriting
    internal CMTP and CAPI data structures via malformed packets
    (CVE-2006-6106).
    
    The provided packages are patched to fix these vulnerabilities. All
    users are encouraged to upgrade to these updated kernels immediately
    and reboot to effect the fixes.
    
    In addition to these security fixes, other fixes have been included
    such as :
    
      - __bread oops fix
    
      - added e1000_ng (nineveh support)
    
      - added sata_svw (Broadcom SATA support)
    
      - added Marvell PATA chipset support
    
      - disabled mmconf on some broken hardware/BIOSes
    
      - use GENERICARCH and enable bigsmp apic model for tulsa
        machines
    
    To update your kernel, please follow the directions located at :
    
    http://www.mandriva.com/en/security/kernelupdate"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-BOOT-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-doc-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xbox-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xen0-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xenU-2.6.12.29mdk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-BOOT-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-doc-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i586-up-1GB-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-smp-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-source-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-source-stripped-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xbox-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-xen0-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"kernel-xenU-2.6.12.29mdk-1-1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-395-1.NASL
    descriptionMark Dowd discovered that the netfilter iptables module did not correcly handle fragmented packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has only be fixed for Ubuntu 6.10; the corresponding fix for Ubuntu 5.10 and 6.06 will follow soon. (CVE-2006-4572) Dmitriy Monakhov discovered an information leak in the __block_prepare_write() function. During error recovery, this function did not properly clear memory buffers which could allow local users to read portions of unlinked files. This only affects Ubuntu 5.10. (CVE-2006-4813) ADLab Venustech Info Ltd discovered that the ATM network driver referenced an already released pointer in some circumstances. By sending specially crafted packets to a host over ATM, a remote attacker could exploit this to crash that host. This does not affect Ubuntu 6.10. (CVE-2006-4997) Matthias Andree discovered that the NFS locking management daemon (lockd) did not correctly handle mixing of
    last seen2020-06-01
    modified2020-06-02
    plugin id27981
    published2007-11-10
    reporterUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27981
    titleUbuntu 5.10 / 6.06 LTS / 6.10 : linux-source-2.6.12/-2.6.15/-2.6.17 vulnerabilities (USN-395-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-395-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27981);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:33:01");
    
      script_cve_id("CVE-2006-4572", "CVE-2006-4813", "CVE-2006-4997", "CVE-2006-5158", "CVE-2006-5173", "CVE-2006-5619", "CVE-2006-5648", "CVE-2006-5649", "CVE-2006-5701", "CVE-2006-5751", "CVE-2006-5755", "CVE-2006-5871");
      script_bugtraq_id(20363, 20847, 20955, 21353, 21522, 21523);
      script_xref(name:"USN", value:"395-1");
    
      script_name(english:"Ubuntu 5.10 / 6.06 LTS / 6.10 : linux-source-2.6.12/-2.6.15/-2.6.17 vulnerabilities (USN-395-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mark Dowd discovered that the netfilter iptables module did not
    correcly handle fragmented packets. By sending specially crafted
    packets, a remote attacker could exploit this to bypass firewall
    rules. This has only be fixed for Ubuntu 6.10; the corresponding fix
    for Ubuntu 5.10 and 6.06 will follow soon. (CVE-2006-4572)
    
    Dmitriy Monakhov discovered an information leak in the
    __block_prepare_write() function. During error recovery, this function
    did not properly clear memory buffers which could allow local users to
    read portions of unlinked files. This only affects Ubuntu 5.10.
    (CVE-2006-4813)
    
    ADLab Venustech Info Ltd discovered that the ATM network driver
    referenced an already released pointer in some circumstances. By
    sending specially crafted packets to a host over ATM, a remote
    attacker could exploit this to crash that host. This does not affect
    Ubuntu 6.10. (CVE-2006-4997)
    
    Matthias Andree discovered that the NFS locking management daemon
    (lockd) did not correctly handle mixing of 'lock' and 'nolock' option
    mounts on the same client. A remote attacker could exploit this to
    crash lockd and thus rendering the NFS imports inaccessible. This only
    affects Ubuntu 5.10. (CVE-2006-5158)
    
    The task switching code did not save and restore EFLAGS of processes.
    By starting a specially crafted executable, a local attacker could
    exploit this to eventually crash many other running processes. This
    does not affect Ubuntu 6.10. (CVE-2006-5173)
    
    James Morris discovered that the ip6fl_get_n() function incorrectly
    handled flow labels. A local attacker could exploit this to crash the
    kernel. (CVE-2006-5619)
    
    Fabio Massimo Di Nitto discovered that the sys_get_robust_list and
    sys_set_robust_list system calls lacked proper lock handling on the
    powerpc platform. A local attacker could exploit this to create
    unkillable processes, drain all available CPU/memory, and render the
    machine unrebootable. This only affects Ubuntu 6.10. (CVE-2006-5648)
    
    Fabio Massimo Di Nitto discovered a flaw in the alignment check
    exception handling on the powerpc platform. A local attacker could
    exploit this to cause a kernel panic and crash the machine.
    (CVE-2006-5649)
    
    Certain corrupted squashfs file system images caused a memory
    allocation to be freed twice. By mounting a specially crafted squashfs
    file system, a local attacker could exploit this to crash the kernel.
    This does not affect Ubuntu 5.10. (CVE-2006-5701)
    
    An integer overflow was found in the get_fdb_entries() function of the
    network bridging code. By executing a specially crafted ioctl, a local
    attacker could exploit this to execute arbitrary code with root
    privileges. (CVE-2006-5751).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/395-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.12");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.17");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-patch-ubuntu-2.6.12");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.12");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.17");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.12");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(5\.10|6\.06|6\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10 / 6.06 / 6.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2006-4572", "CVE-2006-4813", "CVE-2006-4997", "CVE-2006-5158", "CVE-2006-5173", "CVE-2006-5619", "CVE-2006-5648", "CVE-2006-5649", "CVE-2006-5701", "CVE-2006-5751", "CVE-2006-5755", "CVE-2006-5871");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-395-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"5.10", pkgname:"linux-doc-2.6.12", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-386", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-686", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-686-smp", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-generic", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-k8", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-k8-smp", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-headers-2.6.12-10-amd64-xeon", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-386", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-686", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-686-smp", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-generic", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-k8", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-k8-smp", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-image-2.6.12-10-amd64-xeon", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-patch-ubuntu-2.6.12", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-source-2.6.12", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"linux-tree-2.6.12", pkgver:"2.6.12-10.42")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-doc-2.6.15", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27-386", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27-686", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27-amd64-generic", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27-amd64-k8", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27-amd64-server", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27-amd64-xeon", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-27-server", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-27-386", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-27-686", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-27-amd64-generic", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-27-amd64-k8", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-27-amd64-server", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-27-amd64-xeon", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-27-server", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-kernel-devel", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-source-2.6.15", pkgver:"2.6.15-27.50")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-doc-2.6.17", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-10", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-10-386", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-10-generic", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-10-server", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-image-2.6.17-10-386", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-image-2.6.17-10-generic", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-image-2.6.17-10-server", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-image-debug-2.6.17-10-386", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-image-debug-2.6.17-10-generic", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-image-debug-2.6.17-10-server", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-image-kdump", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-kernel-devel", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-libc-dev", pkgver:"2.6.17.1-10.34")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"linux-source-2.6.17", pkgver:"2.6.17.1-10.34")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc-2.6.12 / linux-doc-2.6.15 / linux-doc-2.6.17 / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0488.NASL
    descriptionFrom Red Hat Security Advisory 2007:0488 : Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn
    last seen2020-06-01
    modified2020-06-02
    plugin id67520
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67520
    titleOracle Linux 4 : kernel (ELSA-2007-0488)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2007:0488 and 
    # Oracle Linux Security Advisory ELSA-2007-0488 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67520);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:06");
    
      script_cve_id("CVE-2006-5158", "CVE-2006-7203", "CVE-2007-0773", "CVE-2007-0958", "CVE-2007-1353", "CVE-2007-2172", "CVE-2007-2525", "CVE-2007-2876", "CVE-2007-3104");
      script_bugtraq_id(23870, 24376, 24631);
      script_xref(name:"RHSA", value:"2007:0488");
    
      script_name(english:"Oracle Linux 4 : kernel (ELSA-2007-0488)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2007:0488 :
    
    Updated kernel packages that fix several security issues and bugs in
    the Red Hat Enterprise Linux 4 kernel are now available.
    
    This security advisory has been rated as having important security
    impact by the Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    These new kernel packages contain fixes for the security issues
    described below :
    
    * a flaw in the connection tracking support for SCTP that allowed a
    remote user to cause a denial of service by dereferencing a NULL
    pointer. (CVE-2007-2876, Important)
    
    * a flaw in the mount handling routine for 64-bit systems that allowed
    a local user to cause denial of service (crash). (CVE-2006-7203,
    Important)
    
    * a flaw in the IPv4 forwarding base that allowed a local user to
    cause an out-of-bounds access. (CVE-2007-2172, Important)
    
    * a flaw in the PPP over Ethernet implementation that allowed a local
    user to cause a denial of service (memory consumption) by creating a
    socket using connect and then releasing it before the PPPIOCGCHAN
    ioctl has been called. (CVE-2007-2525, Important)
    
    * a flaw in the fput ioctl handling of 32-bit applications running on
    64-bit platforms that allowed a local user to cause a denial of
    service (panic). (CVE-2007-0773, Important)
    
    * a flaw in the NFS locking daemon that allowed a local user to cause
    denial of service (deadlock). (CVE-2006-5158, Moderate)
    
    * a flaw in the sysfs_readdir function that allowed a local user to
    cause a denial of service by dereferencing a NULL pointer.
    (CVE-2007-3104, Moderate)
    
    * a flaw in the core-dump handling that allowed a local user to create
    core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958,
    Low)
    
    * a flaw in the Bluetooth subsystem that allowed a local user to
    trigger an information leak. (CVE-2007-1353, Low)
    
    In addition, the following bugs were addressed :
    
    * the NFS could recurse on the same spinlock. Also, NFS, under certain
    conditions, did not completely clean up Posix locks on a file close,
    leading to mount failures.
    
    * the 32bit compatibility didn't return to userspace correct values
    for the rt_sigtimedwait system call.
    
    * the count for unused inodes could be incorrect at times, resulting
    in dirty data not being written to disk in a timely manner.
    
    * the cciss driver had an incorrect disk size calculation (off-by-one
    error) which prevented disk dumps.
    
    Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux
    kernel team for reporting issues fixed in this erratum.
    
    All Red Hat Enterprise Linux 4 users are advised to upgrade their
    kernels to the packages associated with their machine architectures
    and configurations as listed in this erratum."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2007-June/000244.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-largesmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-largesmp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-smp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-sourcecode");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xenU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xenU-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/06/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2006-5158", "CVE-2006-7203", "CVE-2007-0773", "CVE-2007-0958", "CVE-2007-1353", "CVE-2007-2172", "CVE-2007-2525", "CVE-2007-2876", "CVE-2007-3104");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2007-0488");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL4", rpm:"kernel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-devel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-devel-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-doc-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-doc-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-largesmp-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-largesmp-devel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-smp-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-smp-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-smp-devel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-sourcecode-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-sourcecode-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-xenU-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-xenU-2.6.9-55.0.2.0.1.EL")) flag++;
    if (rpm_exists(release:"EL4", rpm:"kernel-xenU-devel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-xenU-devel-2.6.9-55.0.2.0.1.EL")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    

Oval

accepted2013-04-29T04:02:00.926-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionThe nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock.
familyunix
idoval:org.mitre.oval:def:10128
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock.
version26

Redhat

advisories
rhsa
idRHSA-2007:0488
rpms
  • kernel-0:2.6.9-55.0.2.EL
  • kernel-debuginfo-0:2.6.9-55.0.2.EL
  • kernel-devel-0:2.6.9-55.0.2.EL
  • kernel-doc-0:2.6.9-55.0.2.EL
  • kernel-hugemem-0:2.6.9-55.0.2.EL
  • kernel-hugemem-devel-0:2.6.9-55.0.2.EL
  • kernel-largesmp-0:2.6.9-55.0.2.EL
  • kernel-largesmp-devel-0:2.6.9-55.0.2.EL
  • kernel-smp-0:2.6.9-55.0.2.EL
  • kernel-smp-devel-0:2.6.9-55.0.2.EL
  • kernel-xenU-0:2.6.9-55.0.2.EL
  • kernel-xenU-devel-0:2.6.9-55.0.2.EL

Statements

contributorJoshua Bressers
lastmodified2006-10-16
organizationRed Hat
statementRed Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210128 This issue does not affect Red Hat Enterprise Linux 2.1 or 3.

References