Vulnerabilities > CVE-2007-1000 - Information Disclosure vulnerability in Linux Kernel IPV6_Getsockopt_Sticky Memory Leak
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.
Vulnerable Configurations
Exploit-Db
| description | Linux Kernel < 2.6.20.2 IPV6_Getsockopt_Sticky Memory Leak PoC. CVE-2007-1000. Local exploit for linux platform |
| id | EDB-ID:4172 |
| last seen | 2016-01-31 |
| modified | 2007-07-10 |
| published | 2007-07-10 |
| reporter | dreyer |
| source | https://www.exploit-db.com/download/4172/ |
| title | Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2007-336.NASL description Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the last seen 2020-06-01 modified 2020-06-02 plugin id 24824 published 2007-03-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24824 title Fedora Core 5 : kernel-2.6.20-1.2300.fc5 (2007-336) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-336. # include("compat.inc"); if (description) { script_id(24824); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:26"); script_cve_id("CVE-2007-0005", "CVE-2007-1000"); script_xref(name:"FEDORA", value:"2007-336"); script_name(english:"Fedora Core 5 : kernel-2.6.20-1.2300.fc5 (2007-336)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges. CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 script_set_attribute( attribute:"see_also", value:"https://mirrors.edge.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20" ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d2de9e24" ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1c08e72f" ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-March/001567.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4067ac3c" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2007/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"kernel-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", reference:"kernel-debug-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", reference:"kernel-debug-devel-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", reference:"kernel-debuginfo-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", reference:"kernel-devel-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", reference:"kernel-doc-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", reference:"kernel-kdump-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", reference:"kernel-kdump-devel-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", cpu:"i386", reference:"kernel-smp-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", cpu:"i386", reference:"kernel-smp-debug-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", cpu:"i386", reference:"kernel-smp-debug-devel-2.6.20-1.2300.fc5")) flag++; if (rpm_check(release:"FC5", cpu:"i386", reference:"kernel-smp-devel-2.6.20-1.2300.fc5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debug / kernel-debug-devel / kernel-debuginfo / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2007-335.NASL description Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the last seen 2020-06-01 modified 2020-06-02 plugin id 24823 published 2007-03-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24823 title Fedora Core 6 : kernel-2.6.20-1.2925.fc6 (2007-335) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-335. # include("compat.inc"); if (description) { script_id(24823); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:26"); script_cve_id("CVE-2007-0005", "CVE-2007-1000"); script_xref(name:"FEDORA", value:"2007-335"); script_name(english:"Fedora Core 6 : kernel-2.6.20-1.2925.fc6 (2007-335)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges. CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 script_set_attribute( attribute:"see_also", value:"https://mirrors.edge.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20" ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d2de9e24" ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1c08e72f" ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-March/001566.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?50b4fa0d" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-kdump-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6"); script_set_attribute(attribute:"patch_publication_date", value:"2007/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC6", reference:"kernel-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debug-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debug-debuginfo-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debug-devel-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debuginfo-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-devel-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debug-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debug-debuginfo-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debug-devel-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debuginfo-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debuginfo-common-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-devel-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-doc-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-headers-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-kdump-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-kdump-debuginfo-2.6.20-1.2925.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-kdump-devel-2.6.20-1.2925.fc6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-debug / kernel-PAE-debug-debuginfo / etc"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-078.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : When SELinux hooks are enabled, the kernel could allow a local user to cause a DoS (crash) via a malformed file stream that triggers a NULL pointer derefernece (CVE-2006-6056). Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. (CVE-2007-0005) The Linux kernel version 2.6.13 to 2.6.20.1 allowed a remote attacker to cause a DoS (oops) via a crafted NFSACL2 ACCESS request that triggered a free of an incorrect pointer (CVE-2007-0772). A local user could read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump; a variant of CVE-2004-1073 (CVE-2007-0958). The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. (CVE-2007-1000) Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet. (CVE-2007-1217) The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel 2.6.17, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference. (CVE-2007-1388) net/ipv6/tcp_ipv6.c in Linux kernel 2.4 and 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listeing IPv6 socket, attaching a flow label, and connecting to that socket. (CVE-2007-1592) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as : - Suspend to disk speed improvements - Add nmi watchdog support for core2 - Add atl1 driver - Update KVM - Add acer_acpi - Update asus_acpi - Fix suspend on r8169, i8259A - Fix suspend when using ondemand governor - Add ide acpi support - Add suspend/resume support for sata_nv chipsets. - USB: Let USB-Serial option driver handle anydata devices (#29066) - USB: Add PlayStation 2 Trance Vibrator driver - Fix bogus delay loop in video/aty/mach64_ct.c - Add MCP61 support (#29398) - USB: fix floppy drive SAMSUNG SFD-321U/EP detected 8 times bug - Improve keyboard handling on Apple MacBooks - Add -latest patch - Workaround a possible binutils bug in smp alternatives - Add forcedeth support - Fix potential deadlock in driver core (USB hangs at boot time #24683) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 24944 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24944 title Mandrake Linux Security Advisory : kernel (MDKSA-2007:078) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:078. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(24944); script_version ("1.22"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2006-6056", "CVE-2007-0005", "CVE-2007-0772", "CVE-2007-0958", "CVE-2007-1000", "CVE-2007-1217", "CVE-2007-1388", "CVE-2007-1592"); script_bugtraq_id(22625); script_xref(name:"MDKSA", value:"2007:078"); script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2007:078)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : When SELinux hooks are enabled, the kernel could allow a local user to cause a DoS (crash) via a malformed file stream that triggers a NULL pointer derefernece (CVE-2006-6056). Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. (CVE-2007-0005) The Linux kernel version 2.6.13 to 2.6.20.1 allowed a remote attacker to cause a DoS (oops) via a crafted NFSACL2 ACCESS request that triggered a free of an incorrect pointer (CVE-2007-0772). A local user could read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump; a variant of CVE-2004-1073 (CVE-2007-0958). The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. (CVE-2007-1000) Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet. (CVE-2007-1217) The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel 2.6.17, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference. (CVE-2007-1388) net/ipv6/tcp_ipv6.c in Linux kernel 2.4 and 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listeing IPv6 socket, attaching a flow label, and connecting to that socket. (CVE-2007-1592) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as : - Suspend to disk speed improvements - Add nmi watchdog support for core2 - Add atl1 driver - Update KVM - Add acer_acpi - Update asus_acpi - Fix suspend on r8169, i8259A - Fix suspend when using ondemand governor - Add ide acpi support - Add suspend/resume support for sata_nv chipsets. - USB: Let USB-Serial option driver handle anydata devices (#29066) - USB: Add PlayStation 2 Trance Vibrator driver - Fix bogus delay loop in video/aty/mach64_ct.c - Add MCP61 support (#29398) - USB: fix floppy drive SAMSUNG SFD-321U/EP detected 8 times bug - Improve keyboard handling on Apple MacBooks - Add -latest patch - Workaround a possible binutils bug in smp alternatives - Add forcedeth support - Fix potential deadlock in driver core (USB hangs at boot time #24683) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-doc-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-legacy-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xen0-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xenU-2.6.17.13mdv"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"kernel-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"kernel-doc-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"kernel-enterprise-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"kernel-legacy-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"kernel-source-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"kernel-source-stripped-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"kernel-xen0-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"kernel-xenU-2.6.17.13mdv-1-1mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-3128.NASL description This kernel update fixes the following security problems : - CVE-2007-1000 A NULL pointer dereference in the IPv6 sockopt handling can be used by local attackers to read arbitrary kernel memory and so gain access to private information. - CVE-2007-1388 A NULL pointer dereference could be used by local attackers to cause a Oops / crash of the machine. - CVE-2007-1592 A possible double free in the ipv6/flowlabel handling was fixed. - CVE-2007-1357 A remote denial of service attack in the AppleTalk protocol handler was fixed. This attack is only possible on the local subnet, and requires the AppleTalk protocol module to be loaded (which is not done by default). and the following non security bugs : - patches.fixes/visor_write_race.patch: fix race allowing overstepping memory limit in visor_write (Mainline: 2.6.21) - patches.drivers/libata-ide-via-add-PCI-IDs: via82cxxx/pata_via: backport PCI IDs (254158). - libata: implement HDIO_GET_IDENTITY (255413). - sata_sil24: Add Adaptec 1220SA PCI ID. (Mainline: 2.6.21) - ide: backport hpt366 from devel tree (244502). - mm: fix madvise infinine loop (248167). - libata: hardreset on SERR_INTERNAL (241334). - limited WPA support for prism54 (207944) - jmicron: match class instead of function number (224784, 207707) - ahci: RAID mode SATA patch for Intel ICH9M (Mainline: 2.6.21) - libata: blacklist FUJITSU MHT2060BH for NCQ (Mainline: 2.6.21) - libata: add missing PM callbacks. (Mainline: 2.6.20) - patches.fixes/nfs-readdir-timestamp: Set meaningful value for fattr->time_start in readdirplus results. (244967). - patches.fixes/usb_volito.patch: wacom volito tablet not working (#248832). - patches.fixes/965-fix: fix detection of aperture size versus GTT size on G965 (#258013). - patches.fixes/sbp2-MODE_SENSE-fix.diff: use proper MODE SENSE, fixes recognition of device properties (261086) - patches.fixes/ipt_CLUSTERIP_refcnt_fix: ipv4/netfilter/ipt_CLUSTERIP.c - refcnt fix (238646) - patches.fixes/reiserfs-fix-vs-13060.diff: reiserfs: fix corruption with vs-13060 (257735). - patches.drivers/ati-rs400_200-480-disable-msi: pci-quirks: disable MSI on RS400-200 and RS480 (263893). - patches.drivers/libata-ahci-ignore-interr-on-SB600: ahci.c: walkaround for SB600 SATA internal error issue (#264792). Furthermore, CONFIG_USB_DEVICEFS has been re-enabled to allow use of USB in legacy applications like VMware. (#210899). last seen 2020-06-01 modified 2020-06-02 plugin id 27294 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27294 title openSUSE 10 Security Update : kernel (kernel-3128) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-489-1.NASL description A flaw was discovered in dvb ULE decapsulation. A remote attacker could send a specially crafted message and cause a denial of service. (CVE-2006-4623) The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to an variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw was discovered in the cluster manager. A remote attacker could connect to the DLM port and block further DLM operations. (CVE-2007-3380) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28090 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28090 title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-489-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0169.NASL description Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the IPv6 socket option handling that allowed a local user to read arbitrary kernel memory (CVE-2007-1000, Important). * a flaw in the IPv6 socket option handling that allowed a local user to cause a denial of service (CVE-2007-1388, Important). * a flaw in the utrace support that allowed a local user to cause a denial of service (CVE-2007-0771, Important). In addition to the security issues described above, a fix for a memory leak in the audit subsystem and a fix for a data corruption bug on s390 systems have been included. Red Hat Enterprise Linux 5 users are advised to upgrade to these erratum packages, which are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25126 published 2007-05-02 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25126 title CentOS 5 : Kernel (CESA-2007:0169) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0169.NASL description Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the IPv6 socket option handling that allowed a local user to read arbitrary kernel memory (CVE-2007-1000, Important). * a flaw in the IPv6 socket option handling that allowed a local user to cause a denial of service (CVE-2007-1388, Important). * a flaw in the utrace support that allowed a local user to cause a denial of service (CVE-2007-0771, Important). In addition to the security issues described above, a fix for a memory leak in the audit subsystem and a fix for a data corruption bug on s390 systems have been included. Red Hat Enterprise Linux 5 users are advised to upgrade to these erratum packages, which are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25328 published 2007-05-25 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25328 title RHEL 5 : kernel (RHSA-2007:0169) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-486-1.NASL description The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to a variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) A flaw was discovered in the IPv6 stack last seen 2020-06-01 modified 2020-06-02 plugin id 28087 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28087 title Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-486-1)
Oval
| accepted | 2013-04-29T04:00:22.159-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:10015 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. | ||||||||||||
| version | 18 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/57599/linux-26202.txt |
| id | PACKETSTORM:57599 |
| last seen | 2016-12-05 |
| published | 2007-07-11 |
| reporter | dreyer |
| source | https://packetstormsecurity.com/files/57599/linux-26202.txt.html |
| title | linux-26202.txt |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:7035 last seen 2017-11-19 modified 2007-07-11 published 2007-07-11 reporter Root source https://www.seebug.org/vuldb/ssvid-7035 title Linux Kernel < 2.6.20.2 IPV6_Getsockopt_Sticky Memory Leak PoC bulletinFamily exploit description No description provided by source. id SSV:64800 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-64800 title Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC
References
- http://bugzilla.kernel.org/show_bug.cgi?id=8134
- http://fedoranews.org/cms/node/2787
- http://fedoranews.org/cms/node/2788
- http://lists.suse.com/archive/suse-security-announce/2007-May/0001.html
- http://secunia.com/advisories/24493
- http://secunia.com/advisories/24518
- http://secunia.com/advisories/24777
- http://secunia.com/advisories/24901
- http://secunia.com/advisories/25080
- http://secunia.com/advisories/25099
- http://secunia.com/advisories/25691
- http://secunia.com/advisories/26133
- http://secunia.com/advisories/26139
- http://www.kb.cert.org/vuls/id/920689
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:078
- http://www.osvdb.org/33025
- http://www.redhat.com/support/errata/RHSA-2007-0169.html
- http://www.securityfocus.com/archive/1/471457
- http://www.securityfocus.com/bid/22904
- http://www.ubuntu.com/usn/usn-486-1
- http://www.ubuntu.com/usn/usn-489-1
- http://www.vupen.com/english/advisories/2007/0907
- http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
- https://issues.rpath.com/browse/RPL-1153
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10015