Vulnerabilities > CVE-2007-3848 - Unspecified vulnerability in Linux Kernel

047910
CVSS 1.9 - LOW
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
linux
nessus

Summary

Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).

Vulnerable Configurations

Part Description Count
OS
Linux
383

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_KERNEL-4186.NASL
    descriptionThis kernel update fixes the following security problems : - The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. (CVE-2007-2242) The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. (CVE-2007-2453) - A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. (CVE-2007-2876) - Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving
    last seen2020-06-01
    modified2020-06-02
    plugin id59123
    published2012-05-17
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59123
    titleSuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4186)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(59123);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:30");
    
      script_cve_id("CVE-2007-2242", "CVE-2007-2453", "CVE-2007-2525", "CVE-2007-2876", "CVE-2007-3105", "CVE-2007-3107", "CVE-2007-3513", "CVE-2007-3848", "CVE-2007-3851");
    
      script_name(english:"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4186)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This kernel update fixes the following security problems :
    
      - The IPv6 protocol allows remote attackers to cause a
        denial of service via crafted IPv6 type 0 route headers
        (IPV6_RTHDR_TYPE_0) that create network amplification
        between two routers. (CVE-2007-2242)
    
        The default is that RH0 is disabled now. To adjust this,
        write to the file /proc/net/accept_source_route6.
    
      - The random number feature in the Linux kernel 2.6 (1)
        did not properly seed pools when there is no entropy, or
        (2) used an incorrect cast when extracting entropy,
        which might have caused the random number generator to
        provide the same values after reboots on systems without
        an entropy source. (CVE-2007-2453)
    
      - A NULL pointer dereference in SCTP connection tracking
        could be caused by a remote attacker by sending
        specially crafted packets. Note that this requires SCTP
        set-up and active to be exploitable. (CVE-2007-2876)
    
      - Stack-based buffer overflow in the random number
        generator (RNG) implementation in the Linux kernel
        before 2.6.22 might allow local root users to cause a
        denial of service or gain privileges by setting the
        default wakeup threshold to a value greater than the
        output pool size, which triggers writing random numbers
        to the stack by the pool transfer function involving
        'bound check ordering'. (CVE-2007-3105)
    
        Since this value can only be changed by a root user,
        exploitability is low.
    
      - The signal handling in the Linux kernel, when run on
        PowerPC systems using HTX, allows local users to cause a
        denial of service via unspecified vectors involving
        floating point corruption and concurrency.
        (CVE-2007-3107)
    
      - Memory leak in the PPP over Ethernet (PPPoE) socket
        implementation in the Linux kernel allowed local users
        to cause a denial of service (memory consumption) by
        creating a socket using connect, and releasing it before
        the PPPIOCGCHAN ioctl is initialized. (CVE-2007-2525)
    
      - The lcd_write function in drivers/usb/misc/usblcd.c in
        the Linux kernel did not limit the amount of memory used
        by a caller, which allowed local users to cause a denial
        of service (memory consumption). (CVE-2007-3513)
    
      - A local attacker could send a death signal to a setuid
        root program under certain conditions, potentially
        causing unwanted behaviour in this program.
        (CVE-2007-3848)
    
      - On machines with a Intel i965 based graphics card local
        users with access to the direct rendering devicenode
        could overwrite memory on the machine and so gain root
        privileges. (CVE-2007-3851)
    
      - Fixed a denial of service possibility where a local
        attacker with access to a pwc camera device could hang
        the USB subsystem. [#302194]
    
    and the following non security bugs :
    
      - patches.arch/ppc-oprofile-970mp.patch: enable ppc64/970
        MP, requires oprofile 0.9.3 [#252696]
    
      - patches.arch/x86_64-no-tsc-with-C3: don't use TSC on
        x86_64 Intel systems when CPU has C3 [#254061]
    
      - patches.arch/x86_64-hpet-lost-interrupts-fix.patch:
        backport x86_64 hpet lost interrupts code [#257035]
    
      - patches.fixes/fusion-nat-consumption-fix: handle a
        potential race in mptbase. This fixes a NaT consumption
        crash [#257412]
    
      - patches.arch/ia64-skip-clock-calibration: enabled
        [#259501]
    
      - patches.fixes/md-raid1-handle-read-error: Correctly
        handle read errors from a failed drive in raid1
        [#261459]
    
      - patches.arch/ia64-fix-kdump-on-init: kdump on INIT needs
        multi-nodes sync-up (v.2) [#265764]
    
      - patches.arch/ia64-perfmon-fix-2: race condition between
        pfm_context_create and pfm_read [#268131]
    
      - patches.fixes/cpufreq_ppc_boot_option.patch: workaround
        for _PPC (BIOS cpufreq limitations) [#269579]
    
      - patches.arch/acpi_package_object_support.patch: ACPI
        package object as method parameter support (in AML)
        [#270956]
    
      - patches.fixes/ia64_cpufreq_PDC.patch: correctly assign
        as cpufreq capable driver (_PDC) to BIOS [#270973]
    
      - patches.arch/ia64-kdump-hpzx1-ioc-workaround: update to
        latest upstream version of the patch [#271158]
    
      - patches.suse/delayacct_memleak.patch: Fix delayacct
        memory leak [#271187]
    
      - patches.fixes/fc_transport-check-portstate-before-scan:
        check FC portstates before invoking target scan
        [#271338]
    
      - patches.fixes/unusual14cd.patch: quirk for 14cd:6600
        [#274087]
    
      -
        patches.fixes/reiserfs-change_generation_on_update_sd.di
        ff: fix assertion failure in reiserfs [#274288]
    
      -
        patches.drivers/d-link-dge-530t-should-use-the-skge-driv
        er.patch: D-Link DGE-530T should use the skge driver
        [#275376]
    
      - patches.arch/ia64-dont-unwind-running-tasks.patch: Only
        unwind non-running tasks [#275854]
    
      - patches.fixes/dm-mpath-rdac-avt-support: short circuit
        RDAC hardware handler in AVT mode [#277834]
    
      - patches.fixes/lkcd-re-enable-valid_phys_addr_range:
        re-enable the valid_phys_addr_range() check [#279433]
    
      - patches.drivers/cciss-panic-on-reboot: when root
        filesystem is xfs the server cannot do a second reboot
        [#279436] Also resolves same issue in [#291759].
    
      - patches.drivers/ide-hpt366-fix-302n-oops: fix hpt302n
        oops [#279705]
    
      - patches.fixes/serial-8250-backup-timer-2-deadlock-fix:
        fix possible deadlock [#280771]
    
      - patches.fixes/nfs-osync-error-return: ensure proper
        error return from O_SYNC writes [#280833]
    
      - patches.fixes/acpi_pci_hotplug_poweroff.patch: ACPI PCI
        hotplug driver acpiphp unable to power off PCI slot
        [#281234]
    
      -
        patches.drivers/pci-hotplug-acpiphp-remove-hot-plug-para
        meter-write-to-pci-host-bridge.patch: remove hot plug
        parameter write to PCI host bridge [#281239]
    
      - patches.fixes/scsi-set-correct-resid: Incorrect 'resid'
        field values when using a tape device [#281640]
    
      - patches.drivers/usb-edgeport-epic-support.patch: USB:
        add EPIC support to the io_edgeport driver [#281921]
    
      - patches.fixes/usb-hid-ncr-no-init-reports.patch: HID:
        Don't initialize reports for NCR devices [#281921]
    
      - patches.drivers/ppc-power6-ehea.patch: use decimal
        values in sysfs propery logical_port_id, fix panic when
        adding / removing logical eHEA ports [#283070]
    
      - patches.arch/ppc-power6-ebus.patch: DLPAR Adapter
        add/remove functionality for eHEA [#283239]
    
      - patches.fixes/nfs-enospc: Return ENOSPC and EDQUOT to
        NFS write requests more promptly [#284042]
    
      -
        patches.drivers/pci-hotplug-acpiphp-avoid-acpiphp-cannot
        -get-bridge-info-pci-hotplug-failure.patch: PCI:
        hotplug: acpiphp: avoid acpiphp 'cannot get bridge info'
        PCI hotplug failure [#286193]
    
      - patches.drivers/lpfc-8.1.10.9-update: lpfc update to
        8.1.10.9 [#286223]
    
      - patches.fixes/make-swappiness-safer-to-use.patch: Handle
        low swappiness gracefully [#288799]
    
      - patches.arch/ppc-oprofile-power5plusplus.patch: oprofile
        support for Power 5++ [#289223]
    
      - patches.drivers/ppc-power6-ehea.patch: Fixed possible
        kernel panic on VLAN packet recv [#289301]
    
      - patches.fixes/igrab_should_check_for_i_clear.patch:
        igrab() should check for I_CLEAR [#289576]
    
      - patches.fixes/wait_for_sysfs_population.diff: Driver
        core: bus device event delay [#289964]
    
      -
        patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni
        ng-better: better throttling of SG_DXFER_TO_FROM_DEV
        warning messages [#290117]
    
      -
        patches.arch/mark-unwind-info-for-signal-trampolines-in-
        vdsos.patch: Mark unwind info for signal trampolines in
        vDSOs [#291421]
    
      - patches.fixes/hugetlbfs-stack-grows-fix.patch: don't
        allow the stack to grow into hugetlb reserved regions
        [#294021]
    
      - patches.drivers/alsa-post-sp1-hda-analog-update: add
        support of of missing AD codecs [#294471]
    
      - patches.drivers/alsa-post-sp1-hda-conexant-fixes: fix
        unterminated arrays [#294480]
    
      - patches.fixes/fix_hpet_init_race.patch: fix a race in
        HPET initialization on x86_64 resulting in a lockup on
        boot [#295115]
    
      - patches.drivers/alsa-post-sp1-hda-sigmatel-pin-fix: Fix
        number of pin widgets with STAC codecs [#295653]
    
      -
        patches.fixes/pci-pcieport-driver-remove-invalid-warning
        -message.patch: PCI: pcieport-driver: remove invalid
        warning message [#297135] [#298561]
    
      - patches.kernel.org/patch-2.6.16.NN-$((NN+1)), NN =
        18,...,52: update to Kernel 2.6.16.53; lots of bugfixes
        [#298719] [#186582] [#186583] [#186584]
    
      - patches.fixes/ocfs2-1.2-svn-r3027.diff: proactive patch
        [#298845]
    
      - patches.drivers/b44-phy-fix: Fix frequent PHY resets
        under load on b44 [#301653]
    
      - dd patches.arch/ppc-eeh-node-status-okay.patch firmware
        returns 'okay' instead of 'ok' for node status [#301788]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-2242.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-2453.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-2525.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-2876.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-3105.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-3107.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-3513.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-3848.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-3851.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4186.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_cwe_id(119, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/08/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-debug-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-kdump-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.53-0.8")) flag++;
    if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.53-0.8")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-509-1.NASL
    descriptionA flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28113
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28113
    titleUbuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-509-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-1049.NASL
    descriptionFrom Red Hat Security Advisory 2007:1049 : Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : * a bug in the TCP header prediction code may have caused
    last seen2020-06-01
    modified2020-06-02
    plugin id67609
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67609
    titleOracle Linux 3 : kernel (ELSA-2007-1049)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-679.NASL
    descriptionUpdate to linux 2.6.22.3 and 2.6.22.4: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.3 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.4 CVE-2007-3848: Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). Update to 2.6.22.5-rc1. Highlights: ACPI fixes. Fix wrong temperature reports with some sensor chips. Four sky2 ethernet driver fixes. Fix detection of an AMD chip bug. Revert serial driver patch that broke port detection. Plus: Additional sky2 fix for some motherboards. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id25976
    published2007-09-05
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25976
    titleFedora Core 6 : kernel-2.6.22.4-45.fc6 (2007-679)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0939.NASL
    descriptionUpdated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option
    last seen2020-06-01
    modified2020-06-02
    plugin id37953
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37953
    titleCentOS 4 : kernel (CESA-2007:0939)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20071203_KERNEL_ON_SL3.NASL
    descriptionA flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : - a bug in the TCP header prediction code may have caused
    last seen2020-06-01
    modified2020-06-02
    plugin id60321
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60321
    titleScientific Linux Security Update : kernel on SL3.x i386/x86_64
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-1049.NASL
    descriptionUpdated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : * a bug in the TCP header prediction code may have caused
    last seen2020-06-01
    modified2020-06-02
    plugin id29190
    published2007-12-04
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/29190
    titleCentOS 3 : kernel (CESA-2007:1049)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0940.NASL
    descriptionFrom Red Hat Security Advisory 2007:0940 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67581
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67581
    titleOracle Linux 5 : kernel (ELSA-2007-0940)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1356.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2453 A couple of issues with random number generation were discovered. Slightly less random numbers resulted from hashing a subset of the available entropy. Zero-entropy systems were seeded with the same inputs at boot time, resulting in repeatable series of random numbers. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-2876 Vilmos Nebehaj discovered a NULL pointer dereference condition in the netfilter subsystem. This allows remote systems which communicate using the SCTP protocol to crash a system by creating a connection with an unknown chunk type. - CVE-2007-3513 Oliver Neukum reported an issue in the usblcd driver which, by not limiting the size of write buffers, permits local users with write access to trigger a DoS by consuming all available memory. - CVE-2007-3642 Zhongling Wen reported an issue in nf_conntrack_h323 where the lack of range checking may lead to NULL pointer dereferences. Remote attackers could exploit this to create a DoS condition (system crash). - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-3851 Dave Airlie reported that Intel 965 and above chipsets have relocated their batch buffer security bits. Local X server users may exploit this to write user data to arbitrary physical memory addresses. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch1. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch4 user-mode-linux 2.6.18-1um-2etch3
    last seen2020-06-01
    modified2020-06-02
    plugin id25909
    published2007-08-21
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25909
    titleDebian DSA-1356-1 : linux-2.6 - several vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_KERNEL-4185.NASL
    descriptionThis kernel update fixes the following security problems : - The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. (CVE-2007-2242) The default is that RH0 is disabled now. To adjust this, write to the file /proc/net/accept_source_route6. - The random number feature in the Linux kernel 2.6 (1) did not properly seed pools when there is no entropy, or (2) used an incorrect cast when extracting entropy, which might have caused the random number generator to provide the same values after reboots on systems without an entropy source. (CVE-2007-2453) - A NULL pointer dereference in SCTP connection tracking could be caused by a remote attacker by sending specially crafted packets. Note that this requires SCTP set-up and active to be exploitable. (CVE-2007-2876) - Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving
    last seen2020-06-01
    modified2020-06-02
    plugin id29487
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29487
    titleSuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4185)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_KERNEL-4929.NASL
    descriptionThis kernel update fixes the following security problems : CVE-2008-0007: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory. CVE-2008-0001: Incorrect access mode checks could be used by local attackers to corrupt directory contents and so cause denial of service attacks or potentially execute code. CVE-2007-5966: Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third-party information. CVE-2007-3843: The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. CVE-2007-2242: The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. CVE-2007-6417: The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances, which might allow local users to read sensitive kernel data or cause a denial of service (crash). CVE-2007-4308: The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid in the Linux kernel did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. CVE-2007-3848: The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). CVE-2007-4997: Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel allowed remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an
    last seen2020-06-01
    modified2020-06-02
    plugin id30142
    published2008-02-01
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/30142
    titleopenSUSE 10 Security Update : kernel (kernel-4929)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0940.NASL
    descriptionUpdated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id43654
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43654
    titleCentOS 5 : kernel (CESA-2007:0940)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-0001.NASL
    descriptionUpdated kernel packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 running on 32-bit architectures. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the IPv4 forwarding base. This could allow a local, unprivileged user to cause a denial of service. (CVE-2007-2172, Important) * a flaw was found in the handling of process death signals. This allowed a local, unprivileged user to send arbitrary signals to the suid-process executed by that user. Successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local, unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a denial of service. (CVE-2008-0007, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local, unprivileged user to bypass intended capability restrictions. (CVE-2008-3525, Important) * a flaw was found in the way files were written using truncate() or ftruncate(). This could allow a local, unprivileged user to acquire the privileges of a different group and obtain access to sensitive information. (CVE-2008-4210, Important) * a race condition in the mincore system core allowed a local, unprivileged user to cause a denial of service. (CVE-2006-4814, Moderate) * a flaw was found in the aacraid SCSI driver. This allowed a local, unprivileged user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * two buffer overflow flaws were found in the Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) * a flaw was found in the way core dump files were created. If a local, unprivileged user could make a root-owned process dump a core file into a user-writable directory, the user could gain read access to that core file, potentially compromising sensitive information. (CVE-2007-6206, Moderate) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) All users of Red Hat Enterprise Linux 2.1 on 32-bit architectures should upgrade to these updated packages which address these vulnerabilities. For this update to take effect, the system must be rebooted.
    last seen2020-06-01
    modified2020-06-02
    plugin id35323
    published2009-01-09
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35323
    titleRHEL 2.1 : kernel (RHSA-2009:0001)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0939.NASL
    descriptionFrom Red Hat Security Advisory 2007:0939 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option
    last seen2020-06-01
    modified2020-06-02
    plugin id67580
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67580
    titleOracle Linux 4 : kernel (ELSA-2007-0939)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1504.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process
    last seen2020-06-01
    modified2020-06-02
    plugin id31148
    published2008-02-25
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31148
    titleDebian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0940.NASL
    descriptionUpdated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id27565
    published2007-10-25
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27565
    titleRHEL 5 : kernel (RHSA-2007:0940)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-510-1.NASL
    descriptionA flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) Zhongling Wen discovered that the h323 conntrack handler did not correctly handle certain bitfields. A remote attacker could send a specially crafted packet and cause a denial of service. (CVE-2007-3642) A flaw was discovered in the CIFS mount security checking. Remote attackers could spoof CIFS network traffic, which could lead a client to trust the connection. (CVE-2007-3843) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28114
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28114
    titleUbuntu 7.04 : linux-source-2.6.20 vulnerabilities (USN-510-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-508-1.NASL
    descriptionA buffer overflow was discovered in the Moxa serial driver. Local attackers could execute arbitrary code and gain root privileges. (CVE-2005-0504) A flaw was discovered in the IPv6 stack
    last seen2020-06-01
    modified2020-06-02
    plugin id28112
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28112
    titleUbuntu 6.06 LTS : linux-source-2.6.15 vulnerabilities (USN-508-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-1785.NASL
    descriptionUpdate to kernel 2.6.22.2, 2.6.22.3 and 2.6.22.4: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.2 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.3 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.4 - Fix failure to find serial ports on some machines. - Detect broken timers on some AMD dual-core machines: fixes hangs and failure to boot. - Don
    last seen2020-06-01
    modified2020-06-02
    plugin id27734
    published2007-11-06
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27734
    titleFedora 7 : kernel-2.6.22.4-65.fc7 (2007-1785)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1503.NASL
    descriptionSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-2731 infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. - CVE-2006-4814 Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. - CVE-2006-5753 Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6053 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6106 Marcel Holtman discovered multiple buffer overflows in the Bluetooth subsystem which can be used to trigger a remote DoS (crash) and potentially execute arbitrary code. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-1592 Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops). - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. - CVE-2007-4311 PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. - CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 3.1 (sarge) alsa-modules-i386 1.0.8+2sarge2 kernel-image-2.4.27-arm 2.4.27-2sarge6 kernel-image-2.4.27-m68k 2.4.27-3sarge6 kernel-image-speakup-i386 2.4.27-1.1sarge5 kernel-image-2.4.27-alpha 2.4.27-10sarge6 kernel-image-2.4.27-s390 2.4.27-2sarge6 kernel-image-2.4.27-sparc 2.4.27-9sarge6 kernel-image-2.4.27-i386 2.4.27-10sarge6 kernel-image-2.4.27-ia64 2.4.27-10sarge6 kernel-patch-2.4.27-mips 2.4.27-10.sarge4.040815-3 kernel-patch-powerpc-2.4.27 2.4.27-10sarge6 kernel-latest-2.4-alpha 101sarge3 kernel-latest-2.4-i386 101sarge2 kernel-latest-2.4-s390 2.4.27-1sarge2 kernel-latest-2.4-sparc 42sarge3 i2c 1:2.9.1-1sarge2 lm-sensors 1:2.9.1-1sarge4 mindi-kernel 2.4.27-2sarge5 pcmcia-modules-2.4.27-i386 3.2.5+2sarge2 hostap-modules-i386 1:0.3.7-1sarge3 systemimager 3.2.3-6sarge5
    last seen2020-06-01
    modified2020-06-02
    plugin id31147
    published2008-02-25
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31147
    titleDebian DSA-1503-1 : kernel-source-2.4.27 - several vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-1049.NASL
    descriptionUpdated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug : * a bug in the TCP header prediction code may have caused
    last seen2020-06-01
    modified2020-06-02
    plugin id29203
    published2007-12-04
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/29203
    titleRHEL 3 : kernel (RHSA-2007:1049)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20071022_KERNEL_ON_SL5_X.NASL
    descriptionThese new kernel packages contain fixes for the following security issues : - A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) - A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) - A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) - A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) - A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included.
    last seen2020-06-01
    modified2020-06-02
    plugin id60272
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60272
    titleScientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-195.NASL
    descriptionSome vulnerabilities were discovered and corrected in the Linux 2.6 kernel : A stack-based buffer overflow in the random number generator could allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size (CVE-2007-3105). The lcd_write function did not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption) (CVE-2007-3513). The decode_choice function allowed remote attackers to cause a denial of service (crash) via an encoded out-of-range index value for a choice field which triggered a NULL pointer dereference (CVE-2007-3642). The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die which delivered an attacker-controlled parent process death signal (PR_SET_PDEATHSIG) (CVE-2007-3848). The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer ioctl patch in aacraid did not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges (CVE-2007-4308). The IA32 system call emulation functionality, when running on the x86_64 architecture, did not zero extend the eax register after the 32bit entry path to ptrace is used, which could allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register (CVE-2007-4573). In addition to these security fixes, other fixes have been included such as : - More NVidia PCI ids wre added - The 3w-9xxx module was updated to version 2.26.02.010 - Fixed the map entry for ICH8 - Added the TG3 5786 PCI id - Reduced the log verbosity of cx88-mpeg To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen2020-06-01
    modified2020-06-02
    plugin id27561
    published2007-10-25
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27561
    titleMandrake Linux Security Advisory : kernel (MDKSA-2007:195)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20071101_KERNEL_ON_SL4_X.NASL
    description - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) - A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) - A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) - A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) - A flaw was found in the CIFS file system handling. The mount option
    last seen2020-06-01
    modified2020-06-02
    plugin id60280
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60280
    titleScientific Linux Security Update : kernel on SL4.x i386/x86_64
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0939.NASL
    descriptionUpdated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option
    last seen2020-06-01
    modified2020-06-02
    plugin id27616
    published2007-11-02
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27616
    titleRHEL 4 : kernel (RHSA-2007:0939)

Oval

accepted2013-04-29T04:01:54.984-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionLinux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
familyunix
idoval:org.mitre.oval:def:10120
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleLinux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
version27

Redhat

advisories
  • rhsa
    idRHSA-2007:0939
  • rhsa
    idRHSA-2007:0940
  • rhsa
    idRHSA-2007:1049
  • rhsa
    idRHSA-2008:0787
rpms
  • kernel-0:2.6.9-55.0.12.EL
  • kernel-debuginfo-0:2.6.9-55.0.12.EL
  • kernel-devel-0:2.6.9-55.0.12.EL
  • kernel-doc-0:2.6.9-55.0.12.EL
  • kernel-hugemem-0:2.6.9-55.0.12.EL
  • kernel-hugemem-devel-0:2.6.9-55.0.12.EL
  • kernel-largesmp-0:2.6.9-55.0.12.EL
  • kernel-largesmp-devel-0:2.6.9-55.0.12.EL
  • kernel-smp-0:2.6.9-55.0.12.EL
  • kernel-smp-devel-0:2.6.9-55.0.12.EL
  • kernel-xenU-0:2.6.9-55.0.12.EL
  • kernel-xenU-devel-0:2.6.9-55.0.12.EL
  • kernel-0:2.6.18-8.1.15.el5
  • kernel-PAE-0:2.6.18-8.1.15.el5
  • kernel-PAE-debuginfo-0:2.6.18-8.1.15.el5
  • kernel-PAE-devel-0:2.6.18-8.1.15.el5
  • kernel-debuginfo-0:2.6.18-8.1.15.el5
  • kernel-debuginfo-common-0:2.6.18-8.1.15.el5
  • kernel-devel-0:2.6.18-8.1.15.el5
  • kernel-doc-0:2.6.18-8.1.15.el5
  • kernel-headers-0:2.6.18-8.1.15.el5
  • kernel-kdump-0:2.6.18-8.1.15.el5
  • kernel-kdump-debuginfo-0:2.6.18-8.1.15.el5
  • kernel-kdump-devel-0:2.6.18-8.1.15.el5
  • kernel-xen-0:2.6.18-8.1.15.el5
  • kernel-xen-debuginfo-0:2.6.18-8.1.15.el5
  • kernel-xen-devel-0:2.6.18-8.1.15.el5
  • kernel-0:2.4.21-53.EL
  • kernel-BOOT-0:2.4.21-53.EL
  • kernel-debuginfo-0:2.4.21-53.EL
  • kernel-doc-0:2.4.21-53.EL
  • kernel-hugemem-0:2.4.21-53.EL
  • kernel-hugemem-unsupported-0:2.4.21-53.EL
  • kernel-smp-0:2.4.21-53.EL
  • kernel-smp-unsupported-0:2.4.21-53.EL
  • kernel-source-0:2.4.21-53.EL
  • kernel-unsupported-0:2.4.21-53.EL
  • kernel-0:2.4.18-e.67
  • kernel-doc-0:2.4.18-e.67
  • kernel-smp-0:2.4.18-e.67
  • kernel-source-0:2.4.18-e.67
  • kernel-0:2.4.9-e.74
  • kernel-BOOT-0:2.4.9-e.74
  • kernel-debug-0:2.4.9-e.74
  • kernel-doc-0:2.4.9-e.74
  • kernel-enterprise-0:2.4.9-e.74
  • kernel-headers-0:2.4.9-e.74
  • kernel-smp-0:2.4.9-e.74
  • kernel-source-0:2.4.9-e.74
  • kernel-summit-0:2.4.9-e.74

References