Vulnerabilities > CVE-2007-6063 - Buffer Errors vulnerability in Linux Kernel 2.6.23
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1436.NASL description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2007-5966 Warren Togami discovered an issue in the hrtimer subsystem that allows a local user to cause a DoS (soft lockup) by requesting a timer sleep for a long period of time leading to an integer overflow. - CVE-2007-6063 Venustech AD-LAB discovered a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6417 Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page may be improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch6. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch.13etch6 user-mode-linux 2.6.18-1um-2etch.13etch6 last seen 2020-06-01 modified 2020-06-02 plugin id 29756 published 2007-12-24 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29756 title Debian DSA-1436-1 : linux-2.6 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1436. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(29756); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-6058", "CVE-2007-5966", "CVE-2007-6063", "CVE-2007-6206", "CVE-2007-6417"); script_xref(name:"DSA", value:"1436"); script_name(english:"Debian DSA-1436-1 : linux-2.6 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2007-5966 Warren Togami discovered an issue in the hrtimer subsystem that allows a local user to cause a DoS (soft lockup) by requesting a timer sleep for a long period of time leading to an integer overflow. - CVE-2007-6063 Venustech AD-LAB discovered a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6417 Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page may be improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch6. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch.13etch6 user-mode-linux 2.6.18-1um-2etch.13etch6" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6058" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-5966" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-6063" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-6206" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-6417" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1436" ); script_set_attribute( attribute:"solution", value: "Upgrade the kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(16, 119, 189, 200, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-2.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"fai-kernels", reference:"1.17+etch.13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-doc-2.6.18", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-486", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-686-bigmem", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-alpha", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-arm", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-hppa", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-i386", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-ia64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-mips", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-mipsel", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-powerpc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-s390", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-all-sparc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-alpha-generic", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-alpha-legacy", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-alpha-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-footbridge", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-iop32x", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-itanium", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-ixp4xx", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-k7", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-mckinley", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-parisc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-parisc-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-parisc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-parisc64-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-powerpc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-powerpc-miboot", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-powerpc-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-powerpc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-prep", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-qemu", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-r3k-kn02", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-r4k-ip22", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-r4k-kn04", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-r5k-cobalt", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-r5k-ip32", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-rpc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-s390", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-s390x", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-s3c2410", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-sb1-bcm91250a", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-sb1a-bcm91480b", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-sparc32", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-sparc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-sparc64-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-alpha", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-k7", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-powerpc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-powerpc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-s390x", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-vserver-sparc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-xen", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-xen-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-xen-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-xen-vserver", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-xen-vserver-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-5-xen-vserver-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-486", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-686-bigmem", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-alpha-generic", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-alpha-legacy", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-alpha-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-footbridge", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-iop32x", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-itanium", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-ixp4xx", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-k7", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-mckinley", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-parisc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-parisc-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-parisc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-parisc64-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-powerpc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-powerpc-miboot", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-powerpc-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-powerpc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-prep", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-qemu", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-r3k-kn02", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-r4k-ip22", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-r4k-kn04", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-r5k-cobalt", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-r5k-ip32", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-rpc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-s390", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-s390-tape", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-s390x", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-s3c2410", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-sb1-bcm91250a", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-sb1a-bcm91480b", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-sparc32", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-sparc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-sparc64-smp", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-alpha", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-k7", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-powerpc", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-powerpc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-s390x", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-vserver-sparc64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-xen-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-xen-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-xen-vserver-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-5-xen-vserver-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-manual-2.6.18", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-5-xen-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-5-xen-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-5-xen-vserver-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-5-xen-vserver-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-patch-debian-2.6.18", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-source-2.6.18", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-support-2.6.18-5", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"linux-tree-2.6.18", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"user-mode-linux", reference:"2.6.18-1um-2etch.13etch6")) flag++; if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-5-xen-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-5-xen-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-5-xen-vserver-686", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-5-xen-vserver-amd64", reference:"2.6.18.dfsg.1-13etch6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-574-1.NASL description The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058) The signal handling on PowerPC systems using HTX allowed local users to cause a denial of service via floating point corruption. This was only vulnerable in Ubuntu 6.10 and 7.04. (CVE-2007-3107) The Linux kernel did not properly validate the hop-by-hop IPv6 extended header. Remote attackers could send a crafted IPv6 packet and cause a denial of service via kernel panic. This was only vulnerable in Ubuntu 7.04. (CVE-2007-4567) The JFFS2 filesystem with ACL support enabled did not properly store permissions during inode creation and ACL setting. Local users could possibly access restricted files after a remount. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4849) Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4997) Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. This was only vulnerable in Ubuntu 7.04. (CVE-2007-5093) Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-5500) It was discovered that the Linux kernel could dereference a NULL pointer when processing certain IPv4 TCP packets. A remote attacker could send a crafted TCP ACK response and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.10. (CVE-2007-5501) Warren Togami discovered that the hrtimer subsystem did not properly check for large relative timeouts. A local user could exploit this and cause a denial of service via soft lockup. (CVE-2007-5966) Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063) It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151) Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file last seen 2020-06-01 modified 2020-06-02 plugin id 30183 published 2008-02-05 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/30183 title Ubuntu 6.10 / 7.04 / 7.10 : linux-source-2.6.17/20/22 vulnerabilities (USN-574-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-574-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(30183); script_version("1.21"); script_cvs_date("Date: 2019/10/16 10:34:22"); script_cve_id("CVE-2006-6058", "CVE-2007-3107", "CVE-2007-4567", "CVE-2007-4849", "CVE-2007-4997", "CVE-2007-5093", "CVE-2007-5500", "CVE-2007-5501", "CVE-2007-5966", "CVE-2007-6063", "CVE-2007-6151", "CVE-2007-6206", "CVE-2007-6417", "CVE-2008-0001"); script_xref(name:"USN", value:"574-1"); script_name(english:"Ubuntu 6.10 / 7.04 / 7.10 : linux-source-2.6.17/20/22 vulnerabilities (USN-574-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058) The signal handling on PowerPC systems using HTX allowed local users to cause a denial of service via floating point corruption. This was only vulnerable in Ubuntu 6.10 and 7.04. (CVE-2007-3107) The Linux kernel did not properly validate the hop-by-hop IPv6 extended header. Remote attackers could send a crafted IPv6 packet and cause a denial of service via kernel panic. This was only vulnerable in Ubuntu 7.04. (CVE-2007-4567) The JFFS2 filesystem with ACL support enabled did not properly store permissions during inode creation and ACL setting. Local users could possibly access restricted files after a remount. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4849) Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4997) Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. This was only vulnerable in Ubuntu 7.04. (CVE-2007-5093) Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-5500) It was discovered that the Linux kernel could dereference a NULL pointer when processing certain IPv4 TCP packets. A remote attacker could send a crafted TCP ACK response and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.10. (CVE-2007-5501) Warren Togami discovered that the hrtimer subsystem did not properly check for large relative timeouts. A local user could exploit this and cause a denial of service via soft lockup. (CVE-2007-5966) Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063) It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151) Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file's ownership. Local users could exploit this to gain access to sensitive information. (CVE-2007-6206) Hugh Dickins discovered the when using the tmpfs filesystem, under rare circumstances, a kernel page may be improperly cleared. A local user may be able to exploit this and read sensitive kernel data or cause a denial of service via crash. (CVE-2007-6417) Bill Roman discovered that the VFS subsystem did not properly check access modes. A local user may be able to gain removal privileges on directories. (CVE-2008-0001). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/574-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(16, 20, 119, 189, 200, 264, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.17"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.20"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.22"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-ume"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-cell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ume"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-virtual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.17"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.20"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.22"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/21"); script_set_attribute(attribute:"patch_publication_date", value:"2008/02/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.10|7\.04|7\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.10 / 7.04 / 7.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2006-6058", "CVE-2007-3107", "CVE-2007-4567", "CVE-2007-4849", "CVE-2007-4997", "CVE-2007-5093", "CVE-2007-5500", "CVE-2007-5501", "CVE-2007-5966", "CVE-2007-6063", "CVE-2007-6151", "CVE-2007-6206", "CVE-2007-6417", "CVE-2008-0001"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-574-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"6.10", pkgname:"linux-doc-2.6.17", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-12", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-12-386", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-12-generic", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-headers-2.6.17-12-server", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-image-2.6.17-12-386", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-image-2.6.17-12-generic", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-image-2.6.17-12-server", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-image-debug-2.6.17-12-386", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-image-debug-2.6.17-12-generic", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-image-debug-2.6.17-12-server", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-image-kdump", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-kernel-devel", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-libc-dev", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"linux-source-2.6.17", pkgver:"2.6.17.1-12.43")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-doc-2.6.20", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-headers-2.6.20-16", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-headers-2.6.20-16-386", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-headers-2.6.20-16-generic", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-headers-2.6.20-16-lowlatency", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-headers-2.6.20-16-server", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-2.6.20-16-386", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-2.6.20-16-generic", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-2.6.20-16-lowlatency", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-2.6.20-16-server", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-debug-2.6.20-16-386", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-debug-2.6.20-16-generic", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-debug-2.6.20-16-lowlatency", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-image-debug-2.6.20-16-server", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-kernel-devel", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-libc-dev", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"linux-source-2.6.20", pkgver:"2.6.20-16.34")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-doc-2.6.22", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14-386", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14-generic", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14-rt", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14-server", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14-ume", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14-virtual", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-14-xen", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-386", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-cell", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-generic", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-lpia", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-lpiacompat", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-rt", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-server", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-ume", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-virtual", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-14-xen", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-14-386", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-14-generic", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-14-server", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-14-virtual", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-kernel-devel", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-libc-dev", pkgver:"2.6.22-14.51")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"linux-source-2.6.22", pkgver:"2.6.22-14.51")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc-2.6.17 / linux-doc-2.6.20 / linux-doc-2.6.22 / etc"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0055.NASL description Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important) A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important) A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) As well, these updated packages fix the following bug : * when moving volumes that contain multiple segments, and a mirror segment is not the first in the mapping table, running the last seen 2020-06-01 modified 2020-06-02 plugin id 30154 published 2008-02-05 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/30154 title CentOS 4 : kernel (CESA-2008:0055) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0055 and # CentOS Errata and Security Advisory 2008:0055 respectively. # include("compat.inc"); if (description) { script_id(30154); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2007-4130", "CVE-2007-5500", "CVE-2007-6063", "CVE-2007-6151", "CVE-2007-6206", "CVE-2007-6694", "CVE-2008-0001"); script_bugtraq_id(26477, 26605, 26701, 27280, 27497); script_xref(name:"RHSA", value:"2008:0055"); script_name(english:"CentOS 4 : kernel (CESA-2008:0055)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important) A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important) A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) As well, these updated packages fix the following bug : * when moving volumes that contain multiple segments, and a mirror segment is not the first in the mapping table, running the 'pvmove /dev/[device] /dev/[device]' command caused a kernel panic. A 'kernel: Unable to handle kernel paging request at virtual address [address]' error was logged by syslog. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues." ); # https://lists.centos.org/pipermail/centos-announce/2008-February/014657.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dcbd22d2" ); # https://lists.centos.org/pipermail/centos-announce/2008-February/014658.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2a34ca2f" ); # https://lists.centos.org/pipermail/centos-announce/2008-February/014659.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b5def49d" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(16, 20, 119, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-largesmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-largesmp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xenU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xenU-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/11/19"); script_set_attribute(attribute:"patch_publication_date", value:"2008/02/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", reference:"kernel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", reference:"kernel-devel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-doc-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-doc-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"kernel-largesmp-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"kernel-largesmp-devel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-devel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-xenU-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-xenU-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-xenU-devel-2.6.9-67.0.4.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-xenU-devel-2.6.9-67.0.4.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc"); }
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0014.NASL description a. Service Console update for DHCP and third-party library update for DHCP client. DHCP is an Internet-standard protocol by which a computer can be connected to a local network, ask to be given configuration information, and receive from a server enough information to configure itself as a member of that network. A stack-based buffer overflow in the script_write_params method in ISC DHCP dhclient allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0692 to this issue. An insecure temporary file use flaw was discovered in the DHCP daemon last seen 2020-06-01 modified 2020-06-02 plugin id 42179 published 2009-10-19 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42179 title VMSA-2009-0014 : VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2009-0014. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(42179); script_version("1.32"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id("CVE-2007-6063", "CVE-2008-0598", "CVE-2008-2086", "CVE-2008-2136", "CVE-2008-2812", "CVE-2008-3275", "CVE-2008-3525", "CVE-2008-4210", "CVE-2008-5339", "CVE-2008-5340", "CVE-2008-5341", "CVE-2008-5342", "CVE-2008-5343", "CVE-2008-5344", "CVE-2008-5345", "CVE-2008-5346", "CVE-2008-5347", "CVE-2008-5348", "CVE-2008-5349", "CVE-2008-5350", "CVE-2008-5351", "CVE-2008-5352", "CVE-2008-5353", "CVE-2008-5354", "CVE-2008-5355", "CVE-2008-5356", "CVE-2008-5357", "CVE-2008-5358", "CVE-2008-5359", "CVE-2008-5360", "CVE-2009-0692", "CVE-2009-1093", "CVE-2009-1094", "CVE-2009-1095", "CVE-2009-1096", "CVE-2009-1097", "CVE-2009-1098", "CVE-2009-1099", "CVE-2009-1100", "CVE-2009-1101", "CVE-2009-1102", "CVE-2009-1103", "CVE-2009-1104", "CVE-2009-1105", "CVE-2009-1106", "CVE-2009-1107", "CVE-2009-1893"); script_bugtraq_id(35668); script_xref(name:"VMSA", value:"2009-0014"); script_name(english:"VMSA-2009-0014 : VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. Service Console update for DHCP and third-party library update for DHCP client. DHCP is an Internet-standard protocol by which a computer can be connected to a local network, ask to be given configuration information, and receive from a server enough information to configure itself as a member of that network. A stack-based buffer overflow in the script_write_params method in ISC DHCP dhclient allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0692 to this issue. An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1893 to this issue. b. Updated Service Console package kernel Service Console package kernel update to version kernel-2.4.21-58.EL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4210, CVE-2008-3275, CVE-2008-0598, CVE-2008-2136, CVE-2008-2812, CVE-2007-6063, CVE-2008-3525 to the security issues fixed in kernel-2.4.21-58.EL c. JRE Security Update JRE update to version 1.5.0_18, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_17: CVE-2008-2086, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339, CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, and CVE-2008-5355. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000076.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Sun Java Calendar Deserialization Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 20, 59, 94, 119, 189, 200, 264, 287, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2009-10-16"); flag = 0; if (esx_check(ver:"ESX 3.0.3", patch:"ESX303-200910402-SG")) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200910401-SG", patch_updates : make_list("ESX350-200911201-UG", "ESX350-Update05", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200910403-SG", patch_updates : make_list("ESX350-201003403-SG", "ESX350-201203401-SG", "ESX350-Update05", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200910406-SG", patch_updates : make_list("ESX350-201203405-SG", "ESX350-Update05", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-200912404-SG", patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-112.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and probably other versions, does not properly check feature lengths, which might allow remote attackers to execute arbitrary code, related to an unspecified overflow. (CVE-2008-2358) VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories. (CVE-2008-0001) Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset. (CVE-2008-0007) Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third-party information. (CVE-2007-5966) The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash). (CVE-2007-6417) The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which triggers a buffer overflow. (CVE-2007-6151) The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information. (CVE-2007-6206) Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third-party information. (CVE-2007-5500) The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function. NOTE: this issue might be due to an integer overflow or signedness error. (CVE-2006-6058) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 36852 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36852 title Mandriva Linux Security Advisory : kernel (MDVSA-2008:112) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:112. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(36852); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2006-6058", "CVE-2007-5500", "CVE-2007-5966", "CVE-2007-6063", "CVE-2007-6151", "CVE-2007-6206", "CVE-2007-6417", "CVE-2008-0001", "CVE-2008-0007", "CVE-2008-2358"); script_xref(name:"MDVSA", value:"2008:112"); script_name(english:"Mandriva Linux Security Advisory : kernel (MDVSA-2008:112)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and probably other versions, does not properly check feature lengths, which might allow remote attackers to execute arbitrary code, related to an unspecified overflow. (CVE-2008-2358) VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories. (CVE-2008-0001) Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset. (CVE-2008-0007) Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third-party information. (CVE-2007-5966) The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash). (CVE-2007-6417) The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which triggers a buffer overflow. (CVE-2007-6151) The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information. (CVE-2007-6206) Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third-party information. (CVE-2007-5500) The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function. NOTE: this issue might be due to an integer overflow or signedness error. (CVE-2006-6058) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(16, 119, 189, 200, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-doc-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-doc-latest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-latest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-latest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-legacy-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-legacy-latest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-latest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-latest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xen0-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xen0-latest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xenU-2.6.17.19mdv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xenU-latest"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/06/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.1", reference:"kernel-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-doc-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-doc-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"kernel-enterprise-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"kernel-enterprise-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"kernel-legacy-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"kernel-legacy-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-source-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-source-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-source-stripped-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-source-stripped-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-xen0-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-xen0-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-xenU-2.6.17.19mdv-1-1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"kernel-xenU-latest-2.6.17-19mdv", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0973.NASL description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs : * the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system last seen 2020-06-01 modified 2020-06-02 plugin id 35186 published 2008-12-17 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35186 title CentOS 3 : kernel (CESA-2008:0973) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0973 and # CentOS Errata and Security Advisory 2008:0973 respectively. # include("compat.inc"); if (description) { script_id(35186); script_version("1.22"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2007-6063", "CVE-2008-0598", "CVE-2008-2136", "CVE-2008-2812", "CVE-2008-3275", "CVE-2008-3525", "CVE-2008-4210"); script_bugtraq_id(26605, 29235, 29942, 30076, 30647, 31368); script_xref(name:"RHSA", value:"2008:0973"); script_name(english:"CentOS 3 : kernel (CESA-2008:0973)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs : * the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system's PATH_MAX, accessing the link caused a kernel oops. This has been corrected in this update. * mptctl_gettargetinfo did not check if pIoc3 was NULL before using it as a pointer. This caused a kernel panic in mptctl_gettargetinfo in some circumstances. A check has been added which prevents this. * lost tick compensation code in the timer interrupt routine triggered without apparent cause. When running as a fully-virtualized client, this spurious triggering caused the 64-bit version of Red Hat Enterprise Linux 3 to present highly inaccurate times. With this update the lost tick compensation code is turned off when the operating system is running as a fully-virtualized client under Xen or VMware(r). All Red Hat Enterprise Linux 3 users should install this updated kernel which addresses these vulnerabilities and fixes these bugs." ); # https://lists.centos.org/pipermail/centos-announce/2008-December/015501.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6d254e94" ); # https://lists.centos.org/pipermail/centos-announce/2008-December/015502.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7e5400ed" ); # https://lists.centos.org/pipermail/centos-announce/2009-February/015578.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?20f73922" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(20, 119, 200, 264, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-unsupported"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/11/20"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"kernel-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-BOOT-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", reference:"kernel-doc-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-hugemem-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-hugemem-unsupported-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-smp-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", cpu:"x86_64", reference:"kernel-smp-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", cpu:"i386", reference:"kernel-smp-unsupported-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", cpu:"x86_64", reference:"kernel-smp-unsupported-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", reference:"kernel-source-2.4.21-58.EL")) flag++; if (rpm_check(release:"CentOS-3", reference:"kernel-unsupported-2.4.21-58.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2008-2005.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - fix utrace dead_engine ops race - fix ptrace_attach leak - CVE-2007-5093: kernel PWC driver DoS - CVE-2007-6282: IPSec ESP kernel panics - CVE-2007-6712: kernel: infinite loop in highres timers (kernel hang) - CVE-2008-1615: kernel: ptrace: Unprivileged crash on x86_64 %cs corruption - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with zero value doesn last seen 2020-06-01 modified 2020-06-02 plugin id 79447 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79447 title OracleVM 2.1 : kernel (OVMSA-2008-2005) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2008-2005. # include("compat.inc"); if (description) { script_id(79447); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:06"); script_cve_id("CVE-2007-3104", "CVE-2007-5093", "CVE-2007-5938", "CVE-2007-6063", "CVE-2007-6282", "CVE-2007-6712", "CVE-2008-0001", "CVE-2008-0598", "CVE-2008-1294", "CVE-2008-1375", "CVE-2008-1615", "CVE-2008-2136", "CVE-2008-2358", "CVE-2008-2812"); script_bugtraq_id(24631, 26605, 27280, 29003, 29081, 29086, 29235, 29603, 29942, 30076); script_name(english:"OracleVM 2.1 : kernel (OVMSA-2008-2005)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - fix utrace dead_engine ops race - fix ptrace_attach leak - CVE-2007-5093: kernel PWC driver DoS - CVE-2007-6282: IPSec ESP kernel panics - CVE-2007-6712: kernel: infinite loop in highres timers (kernel hang) - CVE-2008-1615: kernel: ptrace: Unprivileged crash on x86_64 %cs corruption - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with zero value doesn't inherit properly across children - CVE-2008-2136: kernel: sit memory leak - CVE-2008-2812: kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code - restore linux-2.6-x86-clear-df-flag-for-signal-handlers.patch - restore linux-2.6-utrace.patch / linux-2.6-xen-utrace.patch - Kernel security erratas for OVM 2.1.2 from bz#5932 : - CVE-2007-6063: isdn: fix possible isdn_net buffer overflows - CVE-2007-3104 Null pointer to an inode in a dentry can cause an oops in sysfs_readdir - CVE-2008-0598: write system call vulnerability - CVE-2008-1375: kernel: race condition in dnotify - CVE-2008-0001: kernel: filesystem corruption by unprivileged user via directory truncation - CVE-2008-2358: dccp: sanity check feature length - CVE-2007-5938: NULL dereference in iwl driver - RHSA-2008:0508: kernel: [x86_64] The string instruction version didn't zero the output on exception. - kernel: clear df flag for signal handlers - fs: missing dput in do_lookup error leaks dentries - sysfs: fix condition check in sysfs_drop_dentry - sysfs: fix race condition around sd->s_dentry - ieee80211: off-by-two integer underflow" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2008-September/000003.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?97ce6a60" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(16, 20, 119, 189, 200, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-BOOT-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.1" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.1", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.1", reference:"kernel-BOOT-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-BOOT-devel-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-kdump-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-kdump-devel-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-ovs-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-ovs-devel-2.6.18-8.1.15.1.19.el5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-BOOT / kernel-BOOT-devel / kernel-kdump / kernel-kdump-devel / etc"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0973.NASL description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs : * the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system last seen 2020-06-01 modified 2020-06-02 plugin id 35190 published 2008-12-17 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35190 title RHEL 3 : kernel (RHSA-2008:0973) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0973. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(35190); script_version ("1.34"); script_cvs_date("Date: 2019/10/25 13:36:13"); script_cve_id("CVE-2007-6063", "CVE-2008-0598", "CVE-2008-2136", "CVE-2008-2812", "CVE-2008-3275", "CVE-2008-3525", "CVE-2008-4210"); script_bugtraq_id(26605, 29235, 29942, 30076, 30647, 31368); script_xref(name:"RHSA", value:"2008:0973"); script_name(english:"RHEL 3 : kernel (RHSA-2008:0973)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs : * the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system's PATH_MAX, accessing the link caused a kernel oops. This has been corrected in this update. * mptctl_gettargetinfo did not check if pIoc3 was NULL before using it as a pointer. This caused a kernel panic in mptctl_gettargetinfo in some circumstances. A check has been added which prevents this. * lost tick compensation code in the timer interrupt routine triggered without apparent cause. When running as a fully-virtualized client, this spurious triggering caused the 64-bit version of Red Hat Enterprise Linux 3 to present highly inaccurate times. With this update the lost tick compensation code is turned off when the operating system is running as a fully-virtualized client under Xen or VMware(r). All Red Hat Enterprise Linux 3 users should install this updated kernel which addresses these vulnerabilities and fixes these bugs." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-6063" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-0598" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-2136" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-2812" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-3275" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-3525" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-4210" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2008:0973" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(20, 119, 200, 264, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-unsupported"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/11/20"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2007-6063", "CVE-2008-0598", "CVE-2008-2136", "CVE-2008-2812", "CVE-2008-3275", "CVE-2008-3525", "CVE-2008-4210"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2008:0973"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2008:0973"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"kernel-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i386", reference:"kernel-BOOT-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-doc-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-unsupported-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-unsupported-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-unsupported-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-source-2.4.21-58.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-unsupported-2.4.21-58.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc"); } }
NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4745.NASL description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref last seen 2020-06-01 modified 2020-06-02 plugin id 59125 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59125 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4745) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(59125); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-3104", "CVE-2007-3740", "CVE-2007-3843", "CVE-2007-4308", "CVE-2007-4573", "CVE-2007-4997", "CVE-2007-5904", "CVE-2007-6063"); script_name(english:"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4745)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref'ing skb after it is potentially freed. - patches.xen/263-xfs-unmap.patch: xfs: eagerly remove vmap mappings to avoid upsetting Xen. - patches.xen/xen-i386-set-fixmap: i386/PAE: avoid temporarily inconsistent pte-s. - patches.xen/xen-isa-dma: Suppress all use of ISA DMA on Xen. - patches.xen/xen-x86-panic-smp, - patches.xen/xen-netback-alloc, - patches.xen/xen-split-pt-lock, - patches.xen/137-netfront-copy-release.patch, - patches.xen/141-driver-autoload.patch, - patches.xen/xen-balloon-max-target, - patches.xen/xen-balloon-min, - patches.xen/xen-i386-highpte, - patches.xen/xen-intel-agp, - patches.xen/xen-multicall-check, - patches.xen/xen-x86-dcr-fallback, - patches.xen/xen-x86-pXX_val, - patches.xen/xen-x86-performance: Adjust. - patches.arch/acpi_backport_video.c.patch: Backport video driver from 2.6.23-rc9 [#343660] - patches.arch/acpi_find_bcl_support.patch: Store brightness/video functionality of ACPI provided by BIOS [#343660]" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-3104.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-3740.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-3843.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4308.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4573.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4997.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-5904.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6063.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4745."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(119, 189, 264, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-debug-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-kdump-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.54-0.2.3")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.54-0.2.3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");
NASL family Misc. NASL id VMWARE_VMSA-2009-0014_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - ISC DHCP dhclient - Integrated Services Digital Network (ISDN) subsystem - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Web Start - Linux kernel - Linux kernel 32-bit and 64-bit emulation - Linux kernel Simple Internet Transition INET6 - Linux kernel tty - Linux kernel virtual file system (VFS) - Red Hat dhcpd init script for DHCP - SBNI WAN driver last seen 2020-06-01 modified 2020-06-02 plugin id 89116 published 2016-03-03 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89116 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0014) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89116); script_version("1.5"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id( "CVE-2007-6063", "CVE-2008-0598", "CVE-2008-2086", "CVE-2008-2136", "CVE-2008-2812", "CVE-2008-3275", "CVE-2008-3525", "CVE-2008-4210", "CVE-2008-5339", "CVE-2008-5340", "CVE-2008-5341", "CVE-2008-5342", "CVE-2008-5343", "CVE-2008-5344", "CVE-2008-5345", "CVE-2008-5346", "CVE-2008-5347", "CVE-2008-5348", "CVE-2008-5349", "CVE-2008-5350", "CVE-2008-5351", "CVE-2008-5352", "CVE-2008-5353", "CVE-2008-5354", "CVE-2008-5355", "CVE-2008-5356", "CVE-2008-5357", "CVE-2008-5358", "CVE-2008-5359", "CVE-2008-5360", "CVE-2009-0692", "CVE-2009-1093", "CVE-2009-1094", "CVE-2009-1095", "CVE-2009-1096", "CVE-2009-1097", "CVE-2009-1098", "CVE-2009-1099", "CVE-2009-1100", "CVE-2009-1101", "CVE-2009-1102", "CVE-2009-1103", "CVE-2009-1104", "CVE-2009-1105", "CVE-2009-1106", "CVE-2009-1107", "CVE-2009-1893" ); script_bugtraq_id( 26605, 29235, 29942, 30076, 30647, 31368, 32608, 32620, 32892, 34240, 35668, 35670 ); script_xref(name:"VMSA", value:"2009-0014"); script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0014) (remote check)"); script_summary(english:"Checks the ESX / ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - ISC DHCP dhclient - Integrated Services Digital Network (ISDN) subsystem - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Web Start - Linux kernel - Linux kernel 32-bit and 64-bit emulation - Linux kernel Simple Internet Transition INET6 - Linux kernel tty - Linux kernel virtual file system (VFS) - Red Hat dhcpd init script for DHCP - SBNI WAN driver"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2009-0014"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory that pertains to ESX / ESXi version 3.5 / 4.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Sun Java Calendar Deserialization Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 20, 59, 94, 119, 189, 200, 264, 287, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2007/11/20"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app_name = "VMware ESX"; version = get_kb_item_or_exit("Host/VMware/version"); release = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); fixes = make_array(); fixes["ESX 3.5"] = 199239; fixes["ESX 4.0"] = 219382; fixes["ESXi 4.0"] = 208167; matches = eregmatch(pattern:'^VMware (ESXi?).*build-([0-9]+)$', string:release); if (empty_or_null(matches)) exit(1, 'Failed to extract the ESX / ESXi build number.'); type = matches[1]; build = int(matches[2]); fixed_build = fixes[version]; if (!isnull(fixed_build) && build < fixed_build) { padding = crap(data:" ", length:8 - strlen(type)); # Spacing alignment report = '\n ' + type + ' version' + padding + ': ' + version + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + version + " build " + build);
NASL family Scientific Linux Local Security Checks NASL id SL_20081216_KERNEL_ON_SL3_X.NASL description This update addresses the following security issues : - Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) - a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) - missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) - the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) - a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) - multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) - a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs : - the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system last seen 2020-06-01 modified 2020-06-02 plugin id 60507 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60507 title Scientific Linux Security Update : kernel on SL3.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4929.NASL description This kernel update fixes the following security problems : CVE-2008-0007: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory. CVE-2008-0001: Incorrect access mode checks could be used by local attackers to corrupt directory contents and so cause denial of service attacks or potentially execute code. CVE-2007-5966: Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third-party information. CVE-2007-3843: The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. CVE-2007-2242: The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. CVE-2007-6417: The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances, which might allow local users to read sensitive kernel data or cause a denial of service (crash). CVE-2007-4308: The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid in the Linux kernel did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. CVE-2007-3848: The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). CVE-2007-4997: Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel allowed remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an last seen 2020-06-01 modified 2020-06-02 plugin id 30142 published 2008-02-01 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/30142 title openSUSE 10 Security Update : kernel (kernel-4929) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0055.NASL description Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important) A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important) A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) As well, these updated packages fix the following bug : * when moving volumes that contain multiple segments, and a mirror segment is not the first in the mapping table, running the last seen 2020-06-01 modified 2020-06-02 plugin id 30140 published 2008-02-01 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/30140 title RHEL 4 : kernel (RHSA-2008:0055) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0001.NASL description Updated kernel packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 running on 32-bit architectures. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the IPv4 forwarding base. This could allow a local, unprivileged user to cause a denial of service. (CVE-2007-2172, Important) * a flaw was found in the handling of process death signals. This allowed a local, unprivileged user to send arbitrary signals to the suid-process executed by that user. Successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local, unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a denial of service. (CVE-2008-0007, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local, unprivileged user to bypass intended capability restrictions. (CVE-2008-3525, Important) * a flaw was found in the way files were written using truncate() or ftruncate(). This could allow a local, unprivileged user to acquire the privileges of a different group and obtain access to sensitive information. (CVE-2008-4210, Important) * a race condition in the mincore system core allowed a local, unprivileged user to cause a denial of service. (CVE-2006-4814, Moderate) * a flaw was found in the aacraid SCSI driver. This allowed a local, unprivileged user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * two buffer overflow flaws were found in the Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) * a flaw was found in the way core dump files were created. If a local, unprivileged user could make a root-owned process dump a core file into a user-writable directory, the user could gain read access to that core file, potentially compromising sensitive information. (CVE-2007-6206, Moderate) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) All users of Red Hat Enterprise Linux 2.1 on 32-bit architectures should upgrade to these updated packages which address these vulnerabilities. For this update to take effect, the system must be rebooted. last seen 2020-06-01 modified 2020-06-02 plugin id 35323 published 2009-01-09 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35323 title RHEL 2.1 : kernel (RHSA-2009:0001) NASL family Scientific Linux Local Security Checks NASL id SL_20080305_KERNEL_ON_SL5_X.NASL description These updated packages fix the following security issues : - a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. (CVE-2007-6207, Important) - two buffer overflow flaws were found in ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-5938: Important, CVE-2007-6063: Moderate) - a possible NULL pointer dereference was found in the subsystem used for showing CPU information, as used by CHRP systems on PowerPC architectures. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) - a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. (CVE-2006-6921, Moderate) As well, these updated packages fix the following bugs : - a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out of memory, causing a kernel panic. - on IBM System z architectures, using the IBM Hardware Management Console to toggle IBM FICON channel path ids (CHPID) caused a file ID miscompare, possibly causing data corruption. - when running the IA-32 Execution Layer (IA-32EL) or a Java VM on Itanium architectures, a bug in the address translation in the hypervisor caused the wrong address to be registered, causing Dom0 to hang. - on Itanium architectures, frequent Corrected Platform Error errors may have caused the hypervisor to hang. - when enabling a CPU without hot plug support, routines for checking the presence of the CPU were missing. The CPU tried to access its own resources, causing a kernel panic. - after updating to kernel-2.6.18-53.el5, a bug in the CCISS driver caused the HP Array Configuration Utility CLI to become unstable, possibly causing a system hang, or a kernel panic. - a bug in NFS directory caching could have caused different hosts to have different views of NFS directories. - on Itanium architectures, the Corrected Machine Check Interrupt masked hot-added CPUs as disabled. - when running Oracle database software on the Intel 64 and AMD64 architectures, if an SGA larger than 4GB was created, and had hugepages allocated to it, the hugepages were not freed after database shutdown. - in a clustered environment, when two or more NFS clients had the same logical volume mounted, and one of them modified a file on the volume, NULL characters may have been inserted, possibly causing data corruption. These updated packages resolve several severe issues in the lpfc driver : - a system hang after LUN discovery. - a general fault protection, a NULL pointer dereference, or slab corruption could occur while running a debug on the kernel. - the inability to handle kernel paging requests in last seen 2020-06-01 modified 2020-06-02 plugin id 60370 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60370 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0055.NASL description From Red Hat Security Advisory 2008:0055 : Updated kernel packages that fix several security issues and a bug in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important) A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important) A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) As well, these updated packages fix the following bug : * when moving volumes that contain multiple segments, and a mirror segment is not the first in the mapping table, running the last seen 2020-06-01 modified 2020-06-02 plugin id 67641 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67641 title Oracle Linux 4 : kernel (ELSA-2008-0055) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-578-1.NASL description The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) Alexander Schulze discovered that the skge driver does not properly use the spin_lock and spin_unlock functions. Remote attackers could exploit this by sending a flood of network traffic and cause a denial of service (crash). (CVE-2006-7229) Hugh Dickins discovered that hugetlbfs performed certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE. A local user could exploit this and cause a denial of service via kernel panic. (CVE-2007-4133) Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. (CVE-2007-4997) Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. (CVE-2007-5093) Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop. (CVE-2007-5500) Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063) It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151) Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file last seen 2020-06-01 modified 2020-06-02 plugin id 31093 published 2008-02-14 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31093 title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerabilities (USN-578-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1504.NASL description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process last seen 2020-06-01 modified 2020-06-02 plugin id 31148 published 2008-02-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31148 title Debian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0154.NASL description Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. (CVE-2007-6207, Important) * two buffer overflow flaws were found in ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-5938: Important, CVE-2007-6063: Moderate) * a possible NULL pointer dereference was found in the subsystem used for showing CPU information, as used by CHRP systems on PowerPC architectures. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) * a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. (CVE-2006-6921, Moderate) As well, these updated packages fix the following bugs : * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out of memory, causing a kernel panic. * on IBM System z architectures, using the IBM Hardware Management Console to toggle IBM FICON channel path ids (CHPID) caused a file ID miscompare, possibly causing data corruption. * when running the IA-32 Execution Layer (IA-32EL) or a Java VM on Itanium architectures, a bug in the address translation in the hypervisor caused the wrong address to be registered, causing Dom0 to hang. * on Itanium architectures, frequent Corrected Platform Error errors may have caused the hypervisor to hang. * when enabling a CPU without hot plug support, routines for checking the presence of the CPU were missing. The CPU tried to access its own resources, causing a kernel panic. * after updating to kernel-2.6.18-53.el5, a bug in the CCISS driver caused the HP Array Configuration Utility CLI to become unstable, possibly causing a system hang, or a kernel panic. * a bug in NFS directory caching could have caused different hosts to have different views of NFS directories. * on Itanium architectures, the Corrected Machine Check Interrupt masked hot-added CPUs as disabled. * when running Oracle database software on the Intel 64 and AMD64 architectures, if an SGA larger than 4GB was created, and had hugepages allocated to it, the hugepages were not freed after database shutdown. * in a clustered environment, when two or more NFS clients had the same logical volume mounted, and one of them modified a file on the volume, NULL characters may have been inserted, possibly causing data corruption. These updated packages resolve several severe issues in the lpfc driver : * a system hang after LUN discovery. * a general fault protection, a NULL pointer dereference, or slab corruption could occur while running a debug on the kernel. * the inability to handle kernel paging requests in last seen 2020-06-01 modified 2020-06-02 plugin id 31388 published 2008-03-07 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31388 title RHEL 5 : kernel (RHSA-2008:0154) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4752.NASL description This kernel update fixes the following security problems : ++ CVE-2007-3104: The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. ++ CVE-2007-4997: A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. ++ CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. ++ CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. ++ CVE-2007-4308: The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. ++ CVE-2007-3843: The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. ++ CVE-2007-5904: Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. ++ CVE-2007-6063: Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes. last seen 2020-06-01 modified 2020-06-02 plugin id 29880 published 2008-01-08 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29880 title openSUSE 10 Security Update : kernel (kernel-4752) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0154.NASL description From Red Hat Security Advisory 2008:0154 : Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. (CVE-2007-6207, Important) * two buffer overflow flaws were found in ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-5938: Important, CVE-2007-6063: Moderate) * a possible NULL pointer dereference was found in the subsystem used for showing CPU information, as used by CHRP systems on PowerPC architectures. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) * a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. (CVE-2006-6921, Moderate) As well, these updated packages fix the following bugs : * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out of memory, causing a kernel panic. * on IBM System z architectures, using the IBM Hardware Management Console to toggle IBM FICON channel path ids (CHPID) caused a file ID miscompare, possibly causing data corruption. * when running the IA-32 Execution Layer (IA-32EL) or a Java VM on Itanium architectures, a bug in the address translation in the hypervisor caused the wrong address to be registered, causing Dom0 to hang. * on Itanium architectures, frequent Corrected Platform Error errors may have caused the hypervisor to hang. * when enabling a CPU without hot plug support, routines for checking the presence of the CPU were missing. The CPU tried to access its own resources, causing a kernel panic. * after updating to kernel-2.6.18-53.el5, a bug in the CCISS driver caused the HP Array Configuration Utility CLI to become unstable, possibly causing a system hang, or a kernel panic. * a bug in NFS directory caching could have caused different hosts to have different views of NFS directories. * on Itanium architectures, the Corrected Machine Check Interrupt masked hot-added CPUs as disabled. * when running Oracle database software on the Intel 64 and AMD64 architectures, if an SGA larger than 4GB was created, and had hugepages allocated to it, the hugepages were not freed after database shutdown. * in a clustered environment, when two or more NFS clients had the same logical volume mounted, and one of them modified a file on the volume, NULL characters may have been inserted, possibly causing data corruption. These updated packages resolve several severe issues in the lpfc driver : * a system hang after LUN discovery. * a general fault protection, a NULL pointer dereference, or slab corruption could occur while running a debug on the kernel. * the inability to handle kernel paging requests in last seen 2020-06-01 modified 2020-06-02 plugin id 67659 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67659 title Oracle Linux 5 : kernel (ELSA-2008-0154) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0154.NASL description Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. (CVE-2007-6207, Important) * two buffer overflow flaws were found in ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-5938: Important, CVE-2007-6063: Moderate) * a possible NULL pointer dereference was found in the subsystem used for showing CPU information, as used by CHRP systems on PowerPC architectures. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) * a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. (CVE-2006-6921, Moderate) As well, these updated packages fix the following bugs : * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out of memory, causing a kernel panic. * on IBM System z architectures, using the IBM Hardware Management Console to toggle IBM FICON channel path ids (CHPID) caused a file ID miscompare, possibly causing data corruption. * when running the IA-32 Execution Layer (IA-32EL) or a Java VM on Itanium architectures, a bug in the address translation in the hypervisor caused the wrong address to be registered, causing Dom0 to hang. * on Itanium architectures, frequent Corrected Platform Error errors may have caused the hypervisor to hang. * when enabling a CPU without hot plug support, routines for checking the presence of the CPU were missing. The CPU tried to access its own resources, causing a kernel panic. * after updating to kernel-2.6.18-53.el5, a bug in the CCISS driver caused the HP Array Configuration Utility CLI to become unstable, possibly causing a system hang, or a kernel panic. * a bug in NFS directory caching could have caused different hosts to have different views of NFS directories. * on Itanium architectures, the Corrected Machine Check Interrupt masked hot-added CPUs as disabled. * when running Oracle database software on the Intel 64 and AMD64 architectures, if an SGA larger than 4GB was created, and had hugepages allocated to it, the hugepages were not freed after database shutdown. * in a clustered environment, when two or more NFS clients had the same logical volume mounted, and one of them modified a file on the volume, NULL characters may have been inserted, possibly causing data corruption. These updated packages resolve several severe issues in the lpfc driver : * a system hang after LUN discovery. * a general fault protection, a NULL pointer dereference, or slab corruption could occur while running a debug on the kernel. * the inability to handle kernel paging requests in last seen 2020-06-01 modified 2020-06-02 plugin id 43674 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43674 title CentOS 4 / 5 : kernel (CESA-2008:0154) NASL family Scientific Linux Local Security Checks NASL id SL_20080131_KERNEL_ON_SL4_X.NASL description These updated kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important) A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important) A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) As well, these updated packages fix the following bug : - when moving volumes that contain multiple segments, and a mirror segment is not the first in the mapping table, running the last seen 2020-06-01 modified 2020-06-02 plugin id 60354 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60354 title Scientific Linux Security Update : kernel on SL4.x i386/x86_64 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0973.NASL description From Red Hat Security Advisory 2008:0973 : Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs : * the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system last seen 2020-06-01 modified 2020-06-02 plugin id 67763 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67763 title Oracle Linux 3 : kernel (ELSA-2008-0973) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4741.NASL description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref last seen 2020-06-01 modified 2020-06-02 plugin id 29489 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29489 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4741) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1503.NASL description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-2731 infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. - CVE-2006-4814 Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. - CVE-2006-5753 Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6053 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6106 Marcel Holtman discovered multiple buffer overflows in the Bluetooth subsystem which can be used to trigger a remote DoS (crash) and potentially execute arbitrary code. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-1592 Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops). - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. - CVE-2007-4311 PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. - CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 3.1 (sarge) alsa-modules-i386 1.0.8+2sarge2 kernel-image-2.4.27-arm 2.4.27-2sarge6 kernel-image-2.4.27-m68k 2.4.27-3sarge6 kernel-image-speakup-i386 2.4.27-1.1sarge5 kernel-image-2.4.27-alpha 2.4.27-10sarge6 kernel-image-2.4.27-s390 2.4.27-2sarge6 kernel-image-2.4.27-sparc 2.4.27-9sarge6 kernel-image-2.4.27-i386 2.4.27-10sarge6 kernel-image-2.4.27-ia64 2.4.27-10sarge6 kernel-patch-2.4.27-mips 2.4.27-10.sarge4.040815-3 kernel-patch-powerpc-2.4.27 2.4.27-10sarge6 kernel-latest-2.4-alpha 101sarge3 kernel-latest-2.4-i386 101sarge2 kernel-latest-2.4-s390 2.4.27-1sarge2 kernel-latest-2.4-sparc 42sarge3 i2c 1:2.9.1-1sarge2 lm-sensors 1:2.9.1-1sarge4 mindi-kernel 2.4.27-2sarge5 pcmcia-modules-2.4.27-i386 3.2.5+2sarge2 hostap-modules-i386 1:0.3.7-1sarge3 systemimager 3.2.3-6sarge5 last seen 2020-06-01 modified 2020-06-02 plugin id 31147 published 2008-02-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31147 title Debian DSA-1503-1 : kernel-source-2.4.27 - several vulnerabilities
Oval
accepted 2010-01-11T04:01:49.666-05:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard definition_extensions comment VMware ESX Server 3.5.0 is installed oval oval:org.mitre.oval:def:5887 description Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. family unix id oval:org.mitre.oval:def:6514 status accepted submitted 2009-09-23T15:39:02.000-04:00 title Linux Kernel ISDN_Net.C Local Buffer Overflow Vulnerability version 4 accepted 2013-04-29T04:22:44.181-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. family unix id oval:org.mitre.oval:def:9846 status accepted submitted 2010-07-09T03:56:16-04:00 title Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. version 27
Redhat
advisories |
| ||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 26605 CVE ID:CVE-2007-6063 CNCVE ID:CNCVE-20076063 Linux是一款开放源代码的操作系统。 Linux包含的'isdn_net_setcfg()'函数存在设计错误,本地攻击者可以利用漏洞进行缓冲区溢出攻击,可能提升特权。 在isdn_ioctl函数中会调用isdn_net_setcfg: isdn_ioctl (drivers/isdn/i4l/isdn_common.c): 1270 isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) ... ... 1410 case IIOCNETSCF: 1411 /* Set configurable parameters of a network-interface */ 1412 if (arg) { 1413 if (copy_from_user(&cfg, argp, sizeof(cfg))) *** <- cfg is user-controlled 1414 return -EFAULT; 1415 return isdn_net_setcfg(&cfg); *** <- call isdn_net_setcfg() 1416 } else 1417 return -EINVAL; ... 在1413行,'cfg'从用户空间读取,因此'cfg'可用户可控的数值。在1415行中,isdn_net_setcfg()被调用,'&cfg'作为参数传递给isdn_net_setcfg(): 2664 isdn_net_setcfg(isdn_net_ioctl_cfg * cfg) 2665 { ... 2777 if (cfg->exclusive > 0) { 2778 unsigned long flags; 2779 2780 /* If binding is exclusive, try to grab the channel */ 2781 spin_lock_irqsave(&dev->lock, flags); 2782 if ((i = isdn_get_free_channel(ISDN_USAGE_NET, 2783 lp->l2_proto, lp->l3_proto, drvidx, 2784 chidx, lp->msn)) < 0) { 2785 /* Grab failed, because desired channel is in use */ 2786 lp->exclusive = -1; 2787 spin_unlock_irqrestore(&dev->lock, flags); 2788 return -EBUSY; 2789 } 2790 /* All went ok, so update isdninfo */ 2791 dev->usage[i] = ISDN_USAGE_EXCLUSIVE; 2792 isdn_info_update(); 2793 spin_unlock_irqrestore(&dev->lock, flags); 2794 lp->exclusive = i; 2795 } else { 2796 /* Non-exclusive binding or unbind. */ 2797 lp->exclusive = -1; 2798 if ((lp->pre_device != -1) && (cfg->exclusive == -1)) { 2799 isdn_unexclusive_channel(lp->pre_device, lp->pre_channel); 2800 isdn_free_channel(lp->pre_device, lp->pre_channel, ISDN_USAGE_NET); 2801 drvidx = -1; 2802 chidx = -1; 2803 } 2804 } 2805 strcpy(lp->msn, cfg->eaz); *** <- Possible overrun of lp->msn by cfg-eaz 2806 lp->pre_device = drvidx; 2807 lp->pre_channel = chidx; 2808 lp->onhtime = cfg->onhtime; 2809 lp->charge = cfg->charge; ... 2884 return -ENODEV; 2885 } 在2805行,strcpy()函数调用,lp->msn参数大小为32,而cfg->eaz为256。由于'*cfg'数据是用户可控制,因此可导致通过cfg->eaz字符串覆盖目标字符串lp->msn。当字符串长度'cfg->eaz'超过32可触发缓冲区溢出。 Linux kernel 2.6.23 目前没有解决方案提供: <a href=http://www.kernel.org/ target=_blank>http://www.kernel.org/</a> |
id | SSV:2527 |
last seen | 2017-11-19 |
modified | 2007-12-04 |
published | 2007-12-04 |
reporter | Root |
title | Linux Kernel ISDN_Net.C本地缓冲区溢出漏洞 |
References
- http://bugzilla.kernel.org/show_bug.cgi?id=9416
- http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2008-0055.html
- http://secunia.com/advisories/27842
- http://secunia.com/advisories/27912
- http://secunia.com/advisories/28141
- http://secunia.com/advisories/28706
- http://secunia.com/advisories/28748
- http://secunia.com/advisories/28806
- http://secunia.com/advisories/28971
- http://secunia.com/advisories/29058
- http://secunia.com/advisories/29236
- http://secunia.com/advisories/33201
- http://secunia.com/advisories/33280
- http://www.debian.org/security/2007/dsa-1436
- http://www.debian.org/security/2008/dsa-1503
- http://www.debian.org/security/2008/dsa-1504
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:008
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:112
- http://www.redhat.com/support/errata/RHSA-2008-0154.html
- http://www.redhat.com/support/errata/RHSA-2008-0787.html
- http://www.redhat.com/support/errata/RHSA-2008-0973.html
- http://www.securityfocus.com/bid/26605
- http://www.ubuntu.com/usn/usn-574-1
- http://www.ubuntu.com/usn/usn-578-1
- http://www.vupen.com/english/advisories/2007/4046
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6514
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9846