Vulnerabilities > CVE-2008-1294 - Resource Management Errors vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0612.NASL description Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to last seen 2020-06-01 modified 2020-06-02 plugin id 43701 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43701 title CentOS 5 : kernel (CESA-2008:0612) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0612 and # CentOS Errata and Security Advisory 2008:0612 respectively. # include("compat.inc"); if (description) { script_id(43701); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2008-1294", "CVE-2008-2136", "CVE-2008-2812"); script_bugtraq_id(29235, 30076); script_xref(name:"RHSA", value:"2008:0612"); script_name(english:"CentOS 5 : kernel (CESA-2008:0612)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to '/dev/ttyS1' to hang. * a 50-75% drop in NFS server rewrite performance, compared to Red Hat Enterprise Linux 4.6, has been resolved. * due a bug in the fast userspace mutex code, while one thread fetched a pointer, another thread may have removed it, causing the first thread to fetch the wrong pointer, possibly causing a system crash. * on certain Hitachi hardware, removing the 'uhci_hcd' module caused a kernel oops, and the following error : BUG: warning at arch/ia64/kernel/iosapic.c:1001/iosapic_unregister_intr() Even after the 'uhci_hcd' module was reloaded, there was no access to USB devices. As well, on systems that have legacy interrupts, 'acpi_unregister_gsi' incorrectly called 'iosapci_unregister_intr()', causing warning messages to be logged. * when a page was mapped with mmap(), and 'PROT_WRITE' was the only 'prot' argument, the first read of that page caused a segmentation fault. If the page was read after it was written to, no fault occurred. This was incompatible with the Red Hat Enterprise Linux 4 behavior. * due to a NULL pointer dereference in powernowk8_init(), a panic may have occurred. * certain error conditions handled by the bonding sysfs interface could have left rtnl_lock() unbalanced, either by locking and returning without unlocking, or by unlocking when it did not lock, possibly causing a 'kernel: RTNL: assertion failed at net/core/fib_rules.c' error. * the kernel currently expects a maximum of six Machine Check Exception (MCE) banks to be exposed by a CPU. Certain CPUs have 7 or more, which may have caused the MCE to be incorrectly reported. * a race condition in UNIX domain sockets may have caused recv() to return zero. For clusters, this may have caused unexpected failovers. * msgrcv() frequently returned an incorrect 'ERESTARTNOHAND (514)' error number. * on certain Intel Itanium-based systems, when kdump was configured to halt the system after a dump operation, after the 'System halted.' output, the kernel continued to output endless 'soft lockup' messages. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues." ); # https://lists.centos.org/pipermail/centos-announce/2008-August/015181.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1743cd03" ); # https://lists.centos.org/pipermail/centos-announce/2008-August/015182.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d3470ba2" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2008/08/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"kernel-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-debug-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-debug-devel-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-devel-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-doc-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-headers-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-xen-2.6.18-92.1.10.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-xen-devel-2.6.18-92.1.10.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc"); }NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2008-2005.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - fix utrace dead_engine ops race - fix ptrace_attach leak - CVE-2007-5093: kernel PWC driver DoS - CVE-2007-6282: IPSec ESP kernel panics - CVE-2007-6712: kernel: infinite loop in highres timers (kernel hang) - CVE-2008-1615: kernel: ptrace: Unprivileged crash on x86_64 %cs corruption - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with zero value doesn last seen 2020-06-01 modified 2020-06-02 plugin id 79447 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79447 title OracleVM 2.1 : kernel (OVMSA-2008-2005) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2008-2005. # include("compat.inc"); if (description) { script_id(79447); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:06"); script_cve_id("CVE-2007-3104", "CVE-2007-5093", "CVE-2007-5938", "CVE-2007-6063", "CVE-2007-6282", "CVE-2007-6712", "CVE-2008-0001", "CVE-2008-0598", "CVE-2008-1294", "CVE-2008-1375", "CVE-2008-1615", "CVE-2008-2136", "CVE-2008-2358", "CVE-2008-2812"); script_bugtraq_id(24631, 26605, 27280, 29003, 29081, 29086, 29235, 29603, 29942, 30076); script_name(english:"OracleVM 2.1 : kernel (OVMSA-2008-2005)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - fix utrace dead_engine ops race - fix ptrace_attach leak - CVE-2007-5093: kernel PWC driver DoS - CVE-2007-6282: IPSec ESP kernel panics - CVE-2007-6712: kernel: infinite loop in highres timers (kernel hang) - CVE-2008-1615: kernel: ptrace: Unprivileged crash on x86_64 %cs corruption - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with zero value doesn't inherit properly across children - CVE-2008-2136: kernel: sit memory leak - CVE-2008-2812: kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code - restore linux-2.6-x86-clear-df-flag-for-signal-handlers.patch - restore linux-2.6-utrace.patch / linux-2.6-xen-utrace.patch - Kernel security erratas for OVM 2.1.2 from bz#5932 : - CVE-2007-6063: isdn: fix possible isdn_net buffer overflows - CVE-2007-3104 Null pointer to an inode in a dentry can cause an oops in sysfs_readdir - CVE-2008-0598: write system call vulnerability - CVE-2008-1375: kernel: race condition in dnotify - CVE-2008-0001: kernel: filesystem corruption by unprivileged user via directory truncation - CVE-2008-2358: dccp: sanity check feature length - CVE-2007-5938: NULL dereference in iwl driver - RHSA-2008:0508: kernel: [x86_64] The string instruction version didn't zero the output on exception. - kernel: clear df flag for signal handlers - fs: missing dput in do_lookup error leaks dentries - sysfs: fix condition check in sysfs_drop_dentry - sysfs: fix race condition around sd->s_dentry - ieee80211: off-by-two integer underflow" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2008-September/000003.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?97ce6a60" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(16, 20, 119, 189, 200, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-BOOT-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.1" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.1", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.1", reference:"kernel-BOOT-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-BOOT-devel-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-kdump-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-kdump-devel-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-ovs-2.6.18-8.1.15.1.19.el5")) flag++; if (rpm_check(release:"OVS2.1", reference:"kernel-ovs-devel-2.6.18-8.1.15.1.19.el5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-BOOT / kernel-BOOT-devel / kernel-kdump / kernel-kdump-devel / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6109.NASL description This Linux kernel update for SUSE Linux Enterprise 10 Service Pack 2 fixes various bugs and several security issues. The following security issues were fixed: CVE-2009-0675: The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an last seen 2020-06-01 modified 2020-06-02 plugin id 41538 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41538 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6109) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0612.NASL description Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to last seen 2020-06-01 modified 2020-06-02 plugin id 33830 published 2008-08-05 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33830 title RHEL 5 : kernel (RHSA-2008:0612) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1565.NASL description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. - CVE-2008-1294 David Peer discovered that users could escape administrator imposed cpu time limitations (RLIMIT_CPU) by setting a limit of 0. - CVE-2008-1375 Alexander Viro discovered a race condition in the directory notification subsystem that allows local users to cause a Denial of Service (oops) and possibly result in an escalation of privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 32127 published 2008-05-02 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32127 title Debian DSA-1565-1 : linux-2.6 - several vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0612.NASL description From Red Hat Security Advisory 2008:0612 : Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to last seen 2020-06-01 modified 2020-06-02 plugin id 67730 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67730 title Oracle Linux 5 : kernel (ELSA-2008-0612) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-618-1.NASL description It was discovered that the ALSA /proc interface did not write the correct number of bytes when reporting memory allocations. A local attacker might be able to access sensitive kernel memory, leading to a loss of privacy. (CVE-2007-4571) Multiple buffer overflows were discovered in the handling of CIFS filesystems. A malicious CIFS server could cause a client system crash or possibly execute arbitrary code with kernel privileges. (CVE-2007-5904) It was discovered that PowerPC kernels did not correctly handle reporting certain system details. By requesting a specific set of information, a local attacker could cause a system crash resulting in a denial of service. (CVE-2007-6694) It was discovered that some device driver fault handlers did not correctly verify memory ranges. A local attacker could exploit this to access sensitive kernel memory, possibly leading to a loss of privacy. (CVE-2008-0007) It was discovered that CPU resource limits could be bypassed. A malicious local user could exploit this to avoid administratively imposed resource limits. (CVE-2008-1294) A race condition was discovered between dnotify fcntl() and close() in the kernel. If a local attacker performed malicious dnotify requests, they could cause memory consumption leading to a denial of service, or possibly send arbitrary signals to any process. (CVE-2008-1375) On SMP systems, a race condition existed in fcntl(). Local attackers could perform malicious locks, causing system crashes and leading to a denial of service. (CVE-2008-1669). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33255 published 2008-06-24 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33255 title Ubuntu 6.06 LTS / 7.04 / 7.10 : linux-source-2.6.15/20/22 vulnerabilities (USN-618-1) NASL family Scientific Linux Local Security Checks NASL id SL_20080804_KERNEL_ON_SL5_X.NASL description These updated packages fix the following security issues : - a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) - a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) - multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : - the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. - when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to last seen 2020-06-01 modified 2020-06-02 plugin id 60459 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60459 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6113.NASL description This Linux kernel update for SUSE Linux Enterprise 10 Service Pack 2 fixes various bugs and several security issues. The following security issues were fixed: CVE-2009-0675: The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an last seen 2020-06-01 modified 2020-06-02 plugin id 59136 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59136 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6113)
Oval
| accepted | 2013-04-29T04:10:23.148-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:10974 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||
| rpms |
|
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-01-15 |
| organization | Red Hat |
| statement | This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0612.html |
References
- http://bugs.gentoo.org/show_bug.cgi?id=215000
- http://www.securityfocus.com/bid/29004
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22
- http://www.ubuntu.com/usn/usn-618-1
- http://www.redhat.com/support/errata/RHSA-2008-0612.html
- http://secunia.com/advisories/30769
- http://secunia.com/advisories/31341
- http://secunia.com/advisories/30018
- http://www.debian.org/security/2008/dsa-1565
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42145
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10974
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commitdiff%3Bh=9926e4c74300c4b31dee007298c6475d33369df0