Vulnerabilities > CVE-2008-1294 - Improper Input Validation vulnerability in Linux Kernel

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
linux
CWE-20
nessus

Summary

Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.

Vulnerable Configurations

Part Description Count
OS
Linux
147

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0612.NASL
    descriptionUpdated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to
    last seen2020-06-01
    modified2020-06-02
    plugin id43701
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43701
    titleCentOS 5 : kernel (CESA-2008:0612)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0612 and 
    # CentOS Errata and Security Advisory 2008:0612 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43701);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:04");
    
      script_cve_id("CVE-2008-1294", "CVE-2008-2136", "CVE-2008-2812");
      script_bugtraq_id(29235, 30076);
      script_xref(name:"RHSA", value:"2008:0612");
    
      script_name(english:"CentOS 5 : kernel (CESA-2008:0612)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix various security issues and several
    bugs are now available for Red Hat Enterprise Linux 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    These updated packages fix the following security issues :
    
    * a possible kernel memory leak was found in the Linux kernel Simple
    Internet Transition (SIT) INET6 implementation. This could allow a
    local unprivileged user to cause a denial of service. (CVE-2008-2136,
    Important)
    
    * a flaw was found in the Linux kernel setrlimit system call, when
    setting RLIMIT_CPU to a certain value. This could allow a local
    unprivileged user to bypass the CPU time limit. (CVE-2008-1294,
    Moderate)
    
    * multiple NULL pointer dereferences were found in various Linux
    kernel network drivers. These drivers were missing checks for terminal
    validity, which could allow privilege escalation. (CVE-2008-2812,
    Moderate)
    
    These updated packages fix the following bugs :
    
    * the GNU libc stub resolver is a minimal resolver that works with
    Domain Name System (DNS) servers to satisfy requests from applications
    for names. The GNU libc stub resolver did not specify a source UDP
    port, and therefore used predictable port numbers. This could have
    made DNS spoofing attacks easier.
    
    The Linux kernel has been updated to implement random UDP source ports
    where none are specified by an application. This allows applications,
    such as those using the GNU libc stub resolver, to use random UDP
    source ports, helping to make DNS spoofing attacks harder.
    
    * when using certain hardware, a bug in UART_BUG_TXEN may have caused
    incorrect hardware detection, causing data flow to '/dev/ttyS1' to
    hang.
    
    * a 50-75% drop in NFS server rewrite performance, compared to Red Hat
    Enterprise Linux 4.6, has been resolved.
    
    * due a bug in the fast userspace mutex code, while one thread fetched
    a pointer, another thread may have removed it, causing the first
    thread to fetch the wrong pointer, possibly causing a system crash.
    
    * on certain Hitachi hardware, removing the 'uhci_hcd' module caused a
    kernel oops, and the following error :
    
    BUG: warning at
    arch/ia64/kernel/iosapic.c:1001/iosapic_unregister_intr()
    
    Even after the 'uhci_hcd' module was reloaded, there was no access to
    USB devices. As well, on systems that have legacy interrupts,
    'acpi_unregister_gsi' incorrectly called 'iosapci_unregister_intr()',
    causing warning messages to be logged.
    
    * when a page was mapped with mmap(), and 'PROT_WRITE' was the only
    'prot' argument, the first read of that page caused a segmentation
    fault. If the page was read after it was written to, no fault
    occurred. This was incompatible with the Red Hat Enterprise Linux 4
    behavior.
    
    * due to a NULL pointer dereference in powernowk8_init(), a panic may
    have occurred.
    
    * certain error conditions handled by the bonding sysfs interface
    could have left rtnl_lock() unbalanced, either by locking and
    returning without unlocking, or by unlocking when it did not lock,
    possibly causing a 'kernel: RTNL: assertion failed at
    net/core/fib_rules.c' error.
    
    * the kernel currently expects a maximum of six Machine Check
    Exception (MCE) banks to be exposed by a CPU. Certain CPUs have 7 or
    more, which may have caused the MCE to be incorrectly reported.
    
    * a race condition in UNIX domain sockets may have caused recv() to
    return zero. For clusters, this may have caused unexpected failovers.
    
    * msgrcv() frequently returned an incorrect 'ERESTARTNOHAND (514)'
    error number.
    
    * on certain Intel Itanium-based systems, when kdump was configured to
    halt the system after a dump operation, after the 'System halted.'
    output, the kernel continued to output endless 'soft lockup' messages.
    
    Red Hat Enterprise Linux 5 users are advised to upgrade to these
    updated packages, which contain backported patches to resolve these
    issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-August/015181.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1743cd03"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-August/015182.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d3470ba2"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/08/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-5", reference:"kernel-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-debug-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-debug-devel-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-devel-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-doc-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-headers-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-xen-2.6.18-92.1.10.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-xen-devel-2.6.18-92.1.10.el5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc");
    }
    
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2008-2005.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - fix utrace dead_engine ops race - fix ptrace_attach leak - CVE-2007-5093: kernel PWC driver DoS - CVE-2007-6282: IPSec ESP kernel panics - CVE-2007-6712: kernel: infinite loop in highres timers (kernel hang) - CVE-2008-1615: kernel: ptrace: Unprivileged crash on x86_64 %cs corruption - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with zero value doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id79447
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79447
    titleOracleVM 2.1 : kernel (OVMSA-2008-2005)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2008-2005.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79447);
      script_version("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:06");
    
      script_cve_id("CVE-2007-3104", "CVE-2007-5093", "CVE-2007-5938", "CVE-2007-6063", "CVE-2007-6282", "CVE-2007-6712", "CVE-2008-0001", "CVE-2008-0598", "CVE-2008-1294", "CVE-2008-1375", "CVE-2008-1615", "CVE-2008-2136", "CVE-2008-2358", "CVE-2008-2812");
      script_bugtraq_id(24631, 26605, 27280, 29003, 29081, 29086, 29235, 29603, 29942, 30076);
    
      script_name(english:"OracleVM 2.1 : kernel (OVMSA-2008-2005)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - fix utrace dead_engine ops race
    
      - fix ptrace_attach leak
    
      - CVE-2007-5093: kernel PWC driver DoS
    
      - CVE-2007-6282: IPSec ESP kernel panics
    
      - CVE-2007-6712: kernel: infinite loop in highres timers
        (kernel hang)
    
      - CVE-2008-1615: kernel: ptrace: Unprivileged crash on
        x86_64 %cs corruption
    
      - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with
        zero value doesn't inherit properly across children
    
      - CVE-2008-2136: kernel: sit memory leak
    
      - CVE-2008-2812: kernel: NULL ptr dereference in multiple
        network drivers due to missing checks in tty code
    
      - restore
        linux-2.6-x86-clear-df-flag-for-signal-handlers.patch
    
      - restore linux-2.6-utrace.patch /
        linux-2.6-xen-utrace.patch
    
      - Kernel security erratas for OVM 2.1.2 from bz#5932 :
    
      - CVE-2007-6063: isdn: fix possible isdn_net buffer
        overflows
    
      - CVE-2007-3104 Null pointer to an inode in a dentry can
        cause an oops in sysfs_readdir
    
      - CVE-2008-0598: write system call vulnerability
    
      - CVE-2008-1375: kernel: race condition in dnotify
    
      - CVE-2008-0001: kernel: filesystem corruption by
        unprivileged user via directory truncation
    
      - CVE-2008-2358: dccp: sanity check feature length
    
      - CVE-2007-5938: NULL dereference in iwl driver
    
      - RHSA-2008:0508: kernel: [x86_64] The string instruction
        version didn't zero the output on exception.
    
      - kernel: clear df flag for signal handlers
    
      - fs: missing dput in do_lookup error leaks dentries
    
      - sysfs: fix condition check in sysfs_drop_dentry
    
      - sysfs: fix race condition around sd->s_dentry
    
      - ieee80211: off-by-two integer underflow"
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2008-September/000003.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?97ce6a60"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(16, 20, 119, 189, 200, 362, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-BOOT");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-BOOT-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "2\.1" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.1", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS2.1", reference:"kernel-BOOT-2.6.18-8.1.15.1.19.el5")) flag++;
    if (rpm_check(release:"OVS2.1", reference:"kernel-BOOT-devel-2.6.18-8.1.15.1.19.el5")) flag++;
    if (rpm_check(release:"OVS2.1", reference:"kernel-kdump-2.6.18-8.1.15.1.19.el5")) flag++;
    if (rpm_check(release:"OVS2.1", reference:"kernel-kdump-devel-2.6.18-8.1.15.1.19.el5")) flag++;
    if (rpm_check(release:"OVS2.1", reference:"kernel-ovs-2.6.18-8.1.15.1.19.el5")) flag++;
    if (rpm_check(release:"OVS2.1", reference:"kernel-ovs-devel-2.6.18-8.1.15.1.19.el5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-BOOT / kernel-BOOT-devel / kernel-kdump / kernel-kdump-devel / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_KERNEL-6109.NASL
    descriptionThis Linux kernel update for SUSE Linux Enterprise 10 Service Pack 2 fixes various bugs and several security issues. The following security issues were fixed: CVE-2009-0675: The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an
    last seen2020-06-01
    modified2020-06-02
    plugin id41538
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41538
    titleSuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6109)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0612.NASL
    descriptionUpdated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to
    last seen2020-06-01
    modified2020-06-02
    plugin id33830
    published2008-08-05
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33830
    titleRHEL 5 : kernel (RHSA-2008:0612)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1565.NASL
    descriptionSeveral local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. - CVE-2008-1294 David Peer discovered that users could escape administrator imposed cpu time limitations (RLIMIT_CPU) by setting a limit of 0. - CVE-2008-1375 Alexander Viro discovered a race condition in the directory notification subsystem that allows local users to cause a Denial of Service (oops) and possibly result in an escalation of privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id32127
    published2008-05-02
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32127
    titleDebian DSA-1565-1 : linux-2.6 - several vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0612.NASL
    descriptionFrom Red Hat Security Advisory 2008:0612 : Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to
    last seen2020-06-01
    modified2020-06-02
    plugin id67730
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67730
    titleOracle Linux 5 : kernel (ELSA-2008-0612)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-618-1.NASL
    descriptionIt was discovered that the ALSA /proc interface did not write the correct number of bytes when reporting memory allocations. A local attacker might be able to access sensitive kernel memory, leading to a loss of privacy. (CVE-2007-4571) Multiple buffer overflows were discovered in the handling of CIFS filesystems. A malicious CIFS server could cause a client system crash or possibly execute arbitrary code with kernel privileges. (CVE-2007-5904) It was discovered that PowerPC kernels did not correctly handle reporting certain system details. By requesting a specific set of information, a local attacker could cause a system crash resulting in a denial of service. (CVE-2007-6694) It was discovered that some device driver fault handlers did not correctly verify memory ranges. A local attacker could exploit this to access sensitive kernel memory, possibly leading to a loss of privacy. (CVE-2008-0007) It was discovered that CPU resource limits could be bypassed. A malicious local user could exploit this to avoid administratively imposed resource limits. (CVE-2008-1294) A race condition was discovered between dnotify fcntl() and close() in the kernel. If a local attacker performed malicious dnotify requests, they could cause memory consumption leading to a denial of service, or possibly send arbitrary signals to any process. (CVE-2008-1375) On SMP systems, a race condition existed in fcntl(). Local attackers could perform malicious locks, causing system crashes and leading to a denial of service. (CVE-2008-1669). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33255
    published2008-06-24
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33255
    titleUbuntu 6.06 LTS / 7.04 / 7.10 : linux-source-2.6.15/20/22 vulnerabilities (USN-618-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080804_KERNEL_ON_SL5_X.NASL
    descriptionThese updated packages fix the following security issues : - a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) - a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) - multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs : - the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. - when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to
    last seen2020-06-01
    modified2020-06-02
    plugin id60459
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60459
    titleScientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL familySuSE Local Security Checks
    NASL idSUSE_KERNEL-6113.NASL
    descriptionThis Linux kernel update for SUSE Linux Enterprise 10 Service Pack 2 fixes various bugs and several security issues. The following security issues were fixed: CVE-2009-0675: The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an
    last seen2020-06-01
    modified2020-06-02
    plugin id59136
    published2012-05-17
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59136
    titleSuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6113)

Oval

accepted2013-04-29T04:10:23.148-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionLinux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.
familyunix
idoval:org.mitre.oval:def:10974
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleLinux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.
version18

Redhat

advisories
rhsa
idRHSA-2008:0612
rpms
  • kernel-0:2.6.18-92.1.10.el5
  • kernel-PAE-0:2.6.18-92.1.10.el5
  • kernel-PAE-debuginfo-0:2.6.18-92.1.10.el5
  • kernel-PAE-devel-0:2.6.18-92.1.10.el5
  • kernel-debug-0:2.6.18-92.1.10.el5
  • kernel-debug-debuginfo-0:2.6.18-92.1.10.el5
  • kernel-debug-devel-0:2.6.18-92.1.10.el5
  • kernel-debuginfo-0:2.6.18-92.1.10.el5
  • kernel-debuginfo-common-0:2.6.18-92.1.10.el5
  • kernel-devel-0:2.6.18-92.1.10.el5
  • kernel-doc-0:2.6.18-92.1.10.el5
  • kernel-headers-0:2.6.18-92.1.10.el5
  • kernel-kdump-0:2.6.18-92.1.10.el5
  • kernel-kdump-debuginfo-0:2.6.18-92.1.10.el5
  • kernel-kdump-devel-0:2.6.18-92.1.10.el5
  • kernel-xen-0:2.6.18-92.1.10.el5
  • kernel-xen-debuginfo-0:2.6.18-92.1.10.el5
  • kernel-xen-devel-0:2.6.18-92.1.10.el5

Statements

contributorTomas Hoger
lastmodified2009-01-15
organizationRed Hat
statementThis issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0612.html