Vulnerabilities > CVE-2008-3276 - Numeric Errors vulnerability in Linux Kernel

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
linux
CWE-189
nessus

Summary

Integer overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.

Vulnerable Configurations

Part Description Count
OS
Linux
126

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_KERNEL-080822.NASL
    descriptionThe openSUSE 11.0 kernel was updated to 2.6.25.16. It fixes various stability bugs and also security bugs. CVE-2008-1673: Fixed the range checking in the ASN.1 decoder in NAT for SNMP and CIFS, which could have been used by a remote attacker to crash the machine. CVE-2008-3276: An integer overflow flaw was found in the Linux kernel dccp_setsockopt_change() function. An attacker may leverage this vulnerability to trigger a kernel panic on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id40009
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40009
    titleopenSUSE Security Update : kernel (kernel-171)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update kernel-171.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40009);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:31");
    
      script_cve_id("CVE-2008-1673", "CVE-2008-3272", "CVE-2008-3275", "CVE-2008-3276");
    
      script_name(english:"openSUSE Security Update : kernel (kernel-171)");
      script_summary(english:"Check for the kernel-171 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The openSUSE 11.0 kernel was updated to 2.6.25.16.
    
    It fixes various stability bugs and also security bugs.
    
    CVE-2008-1673: Fixed the range checking in the ASN.1 decoder in NAT
    for SNMP and CIFS, which could have been used by a remote attacker to
    crash the machine.
    
    CVE-2008-3276: An integer overflow flaw was found in the Linux kernel
    dccp_setsockopt_change() function. An attacker may leverage this
    vulnerability to trigger a kernel panic on a victim's machine
    remotely.
    
    CVE-2008-3272: The snd_seq_oss_synth_make_info function in
    sound/core/seq/oss/seq_oss_synth.c in the sound subsystem does not
    verify that the device number is within the range defined by
    max_synthdev before returning certain data to the caller, which allows
    local users to obtain sensitive information.
    
    CVE-2008-3275: The (1) real_lookup and (2) __lookup_hash functions in
    fs/namei.c in the vfs implementation do not prevent creation of a
    child dentry for a deleted (aka S_DEAD) directory, which allows local
    users to cause a denial of service ('overflow' of the UBIFS orphan
    area) via a series of attempted file creations within deleted
    directories.
    
    Also lots of bugs were fixed."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=216857"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=374099"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=394667"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=400815"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=400874"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=404892"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=406637"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=407689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=408734"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=412823"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=415607"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=415690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=417505"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(119, 189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-rt_debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/08/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-debug-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-default-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-pae-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-rt-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-rt_debug-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-source-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-syms-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-vanilla-2.6.25.16-0.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"kernel-xen-2.6.25.16-0.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-debug / kernel-default / kernel-pae / kernel-rt / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_KERNEL-5700.NASL
    descriptionThe openSUSE 10.3 kernel was update to 2.6.22.19. This includes bugs and security fixes. CVE-2008-4576: Fixed a crash in SCTP INIT-ACK, on mismatch between SCTP AUTH availability. This might be exploited remotely for a denial of service (crash) attack. CVE-2008-3528: The ext[234] filesystem code fails to properly handle corrupted data structures. With a mounted filesystem image or partition that have corrupted dir->i_size and dir->i_blocks, a user performing either a read or write operation on the mounted image or partition can lead to a possible denial of service by spamming the logfile. CVE-2007-6716: fs/direct-io.c in the dio subsystem in the Linux kernel did not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test. CVE-2008-3525: Added missing capability checks in sbni_ioctl(). CVE-2008-3272: Fixed range checking in the snd_seq OSS ioctl, which could be used to leak information from the kernel. CVE-2008-3276: An integer overflow flaw was found in the Linux kernel dccp_setsockopt_change() function. An attacker may leverage this vulnerability to trigger a kernel panic on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id34457
    published2008-10-21
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34457
    titleopenSUSE 10 Security Update : kernel (kernel-5700)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update kernel-5700.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34457);
      script_version ("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:32");
    
      script_cve_id("CVE-2007-6716", "CVE-2008-1673", "CVE-2008-2812", "CVE-2008-2826", "CVE-2008-3272", "CVE-2008-3276", "CVE-2008-3525", "CVE-2008-3528", "CVE-2008-4576");
    
      script_name(english:"openSUSE 10 Security Update : kernel (kernel-5700)");
      script_summary(english:"Check for the kernel-5700 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The openSUSE 10.3 kernel was update to 2.6.22.19. This includes bugs
    and security fixes.
    
    CVE-2008-4576: Fixed a crash in SCTP INIT-ACK, on mismatch between
    SCTP AUTH availability. This might be exploited remotely for a denial
    of service (crash) attack.
    
    CVE-2008-3528: The ext[234] filesystem code fails to properly handle
    corrupted data structures. With a mounted filesystem image or
    partition that have corrupted dir->i_size and dir->i_blocks, a user
    performing either a read or write operation on the mounted image or
    partition can lead to a possible denial of service by spamming the
    logfile.
    
    CVE-2007-6716: fs/direct-io.c in the dio subsystem in the Linux kernel
    did not properly zero out the dio struct, which allows local users to
    cause a denial of service (OOPS), as demonstrated by a certain fio
    test.
    
    CVE-2008-3525: Added missing capability checks in sbni_ioctl().
    
    CVE-2008-3272: Fixed range checking in the snd_seq OSS ioctl, which
    could be used to leak information from the kernel.
    
    CVE-2008-3276: An integer overflow flaw was found in the Linux kernel
    dccp_setsockopt_change() function. An attacker may leverage this
    vulnerability to trigger a kernel panic on a victim's machine
    remotely.
    
    CVE-2008-1673: Added range checking in ASN.1 handling for the CIFS and
    SNMP NAT netfilter modules.
    
    CVE-2008-2826: A integer overflow in SCTP was fixed, which might have
    been used by remote attackers to crash the machine or potentially
    execute code.
    
    CVE-2008-2812: Various NULL ptr checks have been added to tty op
    functions, which might have been used by local attackers to execute
    code. We think that this affects only devices openable by root, so the
    impact is limited."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119, 189, 264, 287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-bigsmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xenpae");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/10/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.3", reference:"kernel-bigsmp-2.6.22.19-0.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"kernel-debug-2.6.22.19-0.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"kernel-default-2.6.22.19-0.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"kernel-source-2.6.22.19-0.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"kernel-syms-2.6.22.19-0.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"kernel-xen-2.6.22.19-0.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"kernel-xenpae-2.6.22.19-0.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-bigsmp / kernel-debug / kernel-default / kernel-source / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0957.NASL
    descriptionUpdated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug. The kernel packages contain the Linux kernel, the core of any Linux operating system. * the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) * Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) * a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) * a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) * a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) * an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : * random32() seeding has been improved. * in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. * a format string was omitted in the call to the request_module() function. * a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). * a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. * in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. * some of the newer Nehalem-based systems declare their CPU DSDT entries as type
    last seen2020-06-01
    modified2020-06-02
    plugin id34690
    published2008-11-04
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34690
    titleRHEL 5 : kernel (RHSA-2008:0957)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0957. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34690);
      script_version ("1.29");
      script_cvs_date("Date: 2019/10/25 13:36:13");
    
      script_cve_id("CVE-2006-5755", "CVE-2007-5907", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3527", "CVE-2008-3833", "CVE-2008-4210", "CVE-2008-4302");
      script_bugtraq_id(31368);
      script_xref(name:"RHSA", value:"2008:0957");
    
      script_name(english:"RHEL 5 : kernel (RHSA-2008:0957)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that resolve several security issues and fix
    various bugs are now available for Red Hat Enterprise Linux 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    [Updated 12th November 2008] The original packages distributed with
    this errata had a bug which prevented the Xen kernel booting on older
    hardware. We have updated the packages to correct this bug.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    * the Xen implementation did not prevent applications running in a
    para-virtualized guest from modifying CR4 TSC. This could cause a
    local denial of service. (CVE-2007-5907, Important)
    
    * Tavis Ormandy reported missing boundary checks in the Virtual
    Dynamic Shared Objects (vDSO) implementation. This could allow a local
    unprivileged user to cause a denial of service or escalate privileges.
    (CVE-2008-3527, Important)
    
    * the do_truncate() and generic_file_splice_write() functions did not
    clear the setuid and setgid bits. This could allow a local
    unprivileged user to obtain access to privileged information.
    (CVE-2008-4210, CVE-2008-3833, Important)
    
    * a flaw was found in the Linux kernel splice implementation. This
    could cause a local denial of service when there is a certain failure
    in the add_to_page_cache_lru() function. (CVE-2008-4302, Important)
    
    * a flaw was found in the Linux kernel when running on AMD64 systems.
    During a context switch, EFLAGS were being neither saved nor restored.
    This could allow a local unprivileged user to cause a denial of
    service. (CVE-2006-5755, Low)
    
    * a flaw was found in the Linux kernel virtual memory implementation.
    This could allow a local unprivileged user to cause a denial of
    service. (CVE-2008-2372, Low)
    
    * an integer overflow was discovered in the Linux kernel Datagram
    Congestion Control Protocol (DCCP) implementation. This could allow a
    remote attacker to cause a denial of service. By default, remote DCCP
    is blocked by SELinux. (CVE-2008-3276, Low)
    
    In addition, these updated packages fix the following bugs :
    
    * random32() seeding has been improved.
    
    * in a multi-core environment, a race between the QP async
    event-handler and the destro_qp() function could occur. This led to
    unpredictable results during invalid memory access, which could lead
    to a kernel crash.
    
    * a format string was omitted in the call to the request_module()
    function.
    
    * a stack overflow caused by an infinite recursion bug in the
    binfmt_misc kernel module was corrected.
    
    * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check
    for scatterlist usage before calling kmap_atomic().
    
    * a sentinel NUL byte was added to the device_write() function to
    ensure that lspace.name is NUL-terminated.
    
    * in the character device driver, a range_is_allowed() check was added
    to the read_mem() and write_mem() functions. It was possible for an
    illegitimate application to bypass these checks, and access /dev/mem
    beyond the 1M limit by calling mmap_mem() instead. Also, the
    parameters of range_is_allowed() were changed to cleanly handle
    greater than 32-bits of physical address on 32-bit architectures.
    
    * some of the newer Nehalem-based systems declare their CPU DSDT
    entries as type 'Alias'. During boot, this caused an 'Error attaching
    device data' message to be logged.
    
    * the evtchn event channel device lacked locks and memory barriers.
    This has led to xenstore becoming unresponsive on the Itanium(r)
    architecture.
    
    * sending of gratuitous ARP packets in the Xen frontend network driver
    is now delayed until the backend signals that its carrier status has
    been processed by the stack.
    
    * on forcedeth devices, whenever setting ethtool parameters for link
    speed, the device could stop receiving interrupts.
    
    * the CIFS 'forcedirectio' option did not allow text to be appended to
    files.
    
    * the gettimeofday() function returned a backwards time on Intel(r) 64.
    
    * residual-count corrections during UNDERRUN handling were added to
    the qla2xxx driver.
    
    * the fix for a small quirk was removed for certain Adaptec
    controllers for which it caused problems.
    
    * the 'xm trigger init' command caused a domain panic if a userland
    application was running on a guest on the Intel(r) 64 architecture.
    
    Users of kernel should upgrade to these updated packages, which
    contain backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-5755"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-5907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-2372"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-3276"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-3527"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-3833"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-4210"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-4302"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2008:0957"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(20, 189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2006-5755", "CVE-2007-5907", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3527", "CVE-2008-3833", "CVE-2008-4210", "CVE-2008-4302");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2008:0957");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2008:0957";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-PAE-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-PAE-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-debug-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-debug-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-debug-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-debug-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-debug-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-debug-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", reference:"kernel-doc-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"kernel-headers-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-headers-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-headers-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-kdump-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-kdump-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-xen-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-xen-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-xen-devel-2.6.18-92.1.18.el5")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-xen-devel-2.6.18-92.1.18.el5")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc");
      }
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20081104_KERNEL_ON_SL5_X.NASL
    description - the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) - Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) - the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) - a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) - a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) - a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) - an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : - random32() seeding has been improved. - in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. - a format string was omitted in the call to the request_module() function. - a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. - the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). - a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. - in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. - some of the newer Nehalem-based systems declare their CPU DSDT entries as type
    last seen2020-06-01
    modified2020-06-02
    plugin id60488
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60488
    titleScientific Linux Security Update : kernel on SL5.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60488);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/25 13:36:17");
    
      script_cve_id("CVE-2006-5755", "CVE-2007-5907", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3527", "CVE-2008-3833", "CVE-2008-4210", "CVE-2008-4302");
    
      script_name(english:"Scientific Linux Security Update : kernel on SL5.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - the Xen implementation did not prevent applications
        running in a para-virtualized guest from modifying CR4
        TSC. This could cause a local denial of service.
        (CVE-2007-5907, Important)
    
      - Tavis Ormandy reported missing boundary checks in the
        Virtual Dynamic Shared Objects (vDSO) implementation.
        This could allow a local unprivileged user to cause a
        denial of service or escalate privileges.
        (CVE-2008-3527, Important)
    
      - the do_truncate() and generic_file_splice_write()
        functions did not clear the setuid and setgid bits. This
        could allow a local unprivileged user to obtain access
        to privileged information. (CVE-2008-4210,
        CVE-2008-3833, Important)
    
      - a flaw was found in the Linux kernel splice
        implementation. This could cause a local denial of
        service when there is a certain failure in the
        add_to_page_cache_lru() function. (CVE-2008-4302,
        Important)
    
      - a flaw was found in the Linux kernel when running on
        AMD64 systems. During a context switch, EFLAGS were
        being neither saved nor restored. This could allow a
        local unprivileged user to cause a denial of service.
        (CVE-2006-5755, Low)
    
      - a flaw was found in the Linux kernel virtual memory
        implementation. This could allow a local unprivileged
        user to cause a denial of service. (CVE-2008-2372, Low)
    
      - an integer overflow was discovered in the Linux kernel
        Datagram Congestion Control Protocol (DCCP)
        implementation. This could allow a remote attacker to
        cause a denial of service. By default, remote DCCP is
        blocked by SELinux. (CVE-2008-3276, Low)
    
    In addition, these updated packages fix the following bugs :
    
      - random32() seeding has been improved.
    
      - in a multi-core environment, a race between the QP async
        event-handler and the destro_qp() function could occur.
        This led to unpredictable results during invalid memory
        access, which could lead to a kernel crash.
    
      - a format string was omitted in the call to the
        request_module() function.
    
      - a stack overflow caused by an infinite recursion bug in
        the binfmt_misc kernel module was corrected.
    
      - the ata_scsi_rbuf_get() and ata_scsi_rbuf_put()
        functions now check for scatterlist usage before calling
        kmap_atomic().
    
      - a sentinel NUL byte was added to the device_write()
        function to ensure that lspace.name is NUL-terminated.
    
      - in the character device driver, a range_is_allowed()
        check was added to the read_mem() and write_mem()
        functions. It was possible for an illegitimate
        application to bypass these checks, and access /dev/mem
        beyond the 1M limit by calling mmap_mem() instead. Also,
        the parameters of range_is_allowed() were changed to
        cleanly handle greater than 32-bits of physical address
        on 32-bit architectures.
    
      - some of the newer Nehalem-based systems declare their
        CPU DSDT entries as type 'Alias'. During boot, this
        caused an 'Error attaching device data' message to be
        logged.
    
      - the evtchn event channel device lacked locks and memory
        barriers. This has led to xenstore becoming unresponsive
        on the Itanium&reg; architecture.
    
      - sending of gratuitous ARP packets in the Xen frontend
        network driver is now delayed until the backend signals
        that its carrier status has been processed by the stack.
    
      - on forcedeth devices, whenever setting ethtool
        parameters for link speed, the device could stop
        receiving interrupts.
    
      - the CIFS 'forcedirectio' option did not allow text to be
        appended to files.
    
      - the gettimeofday() function returned a backwards time on
        Intel&reg; 64.
    
      - residual-count corrections during UNDERRUN handling were
        added to the qla2xxx driver.
    
      - the fix for a small quirk was removed for certain
        Adaptec controllers for which it caused problems.
    
      - the 'xm trigger init' command caused a domain panic if a
        userland application was running on a guest on the
        Intel&reg; 64 architecture."
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0811&L=scientific-linux-errata&T=0&P=435
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?fddd7885"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(20, 189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL5", reference:"kernel-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", cpu:"i386", reference:"kernel-PAE-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"kernel-debug-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"kernel-debug-devel-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"kernel-devel-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"kernel-doc-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"kernel-headers-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"kernel-xen-2.6.18-92.1.17.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"kernel-xen-devel-2.6.18-92.1.17.el5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0957.NASL
    descriptionUpdated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug. The kernel packages contain the Linux kernel, the core of any Linux operating system. * the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) * Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) * a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) * a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) * a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) * an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : * random32() seeding has been improved. * in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. * a format string was omitted in the call to the request_module() function. * a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). * a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. * in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. * some of the newer Nehalem-based systems declare their CPU DSDT entries as type
    last seen2020-06-01
    modified2020-06-02
    plugin id43713
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43713
    titleCentOS 5 : kernel (CESA-2008:0957)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0957 and 
    # CentOS Errata and Security Advisory 2008:0957 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43713);
      script_version("1.17");
      script_cvs_date("Date: 2019/10/25 13:36:04");
    
      script_cve_id("CVE-2006-5755", "CVE-2007-5907", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3527", "CVE-2008-3833", "CVE-2008-4210", "CVE-2008-4302");
      script_bugtraq_id(31368);
      script_xref(name:"RHSA", value:"2008:0957");
    
      script_name(english:"CentOS 5 : kernel (CESA-2008:0957)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that resolve several security issues and fix
    various bugs are now available for Red Hat Enterprise Linux 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    [Updated 12th November 2008] The original packages distributed with
    this errata had a bug which prevented the Xen kernel booting on older
    hardware. We have updated the packages to correct this bug.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    * the Xen implementation did not prevent applications running in a
    para-virtualized guest from modifying CR4 TSC. This could cause a
    local denial of service. (CVE-2007-5907, Important)
    
    * Tavis Ormandy reported missing boundary checks in the Virtual
    Dynamic Shared Objects (vDSO) implementation. This could allow a local
    unprivileged user to cause a denial of service or escalate privileges.
    (CVE-2008-3527, Important)
    
    * the do_truncate() and generic_file_splice_write() functions did not
    clear the setuid and setgid bits. This could allow a local
    unprivileged user to obtain access to privileged information.
    (CVE-2008-4210, CVE-2008-3833, Important)
    
    * a flaw was found in the Linux kernel splice implementation. This
    could cause a local denial of service when there is a certain failure
    in the add_to_page_cache_lru() function. (CVE-2008-4302, Important)
    
    * a flaw was found in the Linux kernel when running on AMD64 systems.
    During a context switch, EFLAGS were being neither saved nor restored.
    This could allow a local unprivileged user to cause a denial of
    service. (CVE-2006-5755, Low)
    
    * a flaw was found in the Linux kernel virtual memory implementation.
    This could allow a local unprivileged user to cause a denial of
    service. (CVE-2008-2372, Low)
    
    * an integer overflow was discovered in the Linux kernel Datagram
    Congestion Control Protocol (DCCP) implementation. This could allow a
    remote attacker to cause a denial of service. By default, remote DCCP
    is blocked by SELinux. (CVE-2008-3276, Low)
    
    In addition, these updated packages fix the following bugs :
    
    * random32() seeding has been improved.
    
    * in a multi-core environment, a race between the QP async
    event-handler and the destro_qp() function could occur. This led to
    unpredictable results during invalid memory access, which could lead
    to a kernel crash.
    
    * a format string was omitted in the call to the request_module()
    function.
    
    * a stack overflow caused by an infinite recursion bug in the
    binfmt_misc kernel module was corrected.
    
    * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check
    for scatterlist usage before calling kmap_atomic().
    
    * a sentinel NUL byte was added to the device_write() function to
    ensure that lspace.name is NUL-terminated.
    
    * in the character device driver, a range_is_allowed() check was added
    to the read_mem() and write_mem() functions. It was possible for an
    illegitimate application to bypass these checks, and access /dev/mem
    beyond the 1M limit by calling mmap_mem() instead. Also, the
    parameters of range_is_allowed() were changed to cleanly handle
    greater than 32-bits of physical address on 32-bit architectures.
    
    * some of the newer Nehalem-based systems declare their CPU DSDT
    entries as type 'Alias'. During boot, this caused an 'Error attaching
    device data' message to be logged.
    
    * the evtchn event channel device lacked locks and memory barriers.
    This has led to xenstore becoming unresponsive on the Itanium(r)
    architecture.
    
    * sending of gratuitous ARP packets in the Xen frontend network driver
    is now delayed until the backend signals that its carrier status has
    been processed by the stack.
    
    * on forcedeth devices, whenever setting ethtool parameters for link
    speed, the device could stop receiving interrupts.
    
    * the CIFS 'forcedirectio' option did not allow text to be appended to
    files.
    
    * the gettimeofday() function returned a backwards time on Intel(r) 64.
    
    * residual-count corrections during UNDERRUN handling were added to
    the qla2xxx driver.
    
    * the fix for a small quirk was removed for certain Adaptec
    controllers for which it caused problems.
    
    * the 'xm trigger init' command caused a domain panic if a userland
    application was running on a guest on the Intel(r) 64 architecture.
    
    Users of kernel should upgrade to these updated packages, which
    contain backported patches to correct these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-November/015397.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?744cf616"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-November/015398.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b3f56c35"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(20, 189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-5", reference:"kernel-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-debug-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-debug-devel-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-devel-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-doc-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-headers-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-xen-2.6.18-92.1.18.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-xen-devel-2.6.18-92.1.18.el5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1653.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-6716 Joe Jin reported a local denial of service vulnerability that allows system users to trigger an oops due to an improperly initialized data structure. - CVE-2008-1514 Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. - CVE-2008-3276 Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. - CVE-2008-3525 Eugene Teo reported a lack of capability checks in the kernel driver for Granch SBNI12 leased line adapters (sbni), allowing local users to perform privileged operations. - CVE-2008-3833 The S_ISUID/S_ISGID bits were not being cleared during an inode splice, which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. Mark Fasheh reported this issue. - CVE-2008-4210 David Watson reported an issue in the open()/creat() system calls which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. - CVE-2008-4302 A coding error in the splice subsystem allows local users to attempt to unlock a page structure that has not been locked, resulting in a system crash.
    last seen2020-06-01
    modified2020-06-02
    plugin id34392
    published2008-10-14
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34392
    titleDebian DSA-1653-1 : linux-2.6 - denial of service/privilege escalation
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1653. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34392);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2007-6716", "CVE-2008-1514", "CVE-2008-3276", "CVE-2008-3525", "CVE-2008-3833", "CVE-2008-4210", "CVE-2008-4302");
      script_bugtraq_id(31177, 31368, 31515);
      script_xref(name:"DSA", value:"1653");
    
      script_name(english:"Debian DSA-1653-1 : linux-2.6 - denial of service/privilege escalation");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a denial of service or privilege escalation. The Common
    Vulnerabilities and Exposures project identifies the following
    problems :
    
      - CVE-2007-6716
        Joe Jin reported a local denial of service vulnerability
        that allows system users to trigger an oops due to an
        improperly initialized data structure.
    
      - CVE-2008-1514
        Jan Kratochvil reported a local denial of service
        vulnerability in the ptrace interface for the s390
        architecture. Local users can trigger an invalid pointer
        dereference, leading to a system panic.
    
      - CVE-2008-3276
        Eugene Teo reported an integer overflow in the DCCP
        subsystem that may allow remote attackers to cause a
        denial of service in the form of a kernel panic.
    
      - CVE-2008-3525
        Eugene Teo reported a lack of capability checks in the
        kernel driver for Granch SBNI12 leased line adapters
        (sbni), allowing local users to perform privileged
        operations.
    
      - CVE-2008-3833
        The S_ISUID/S_ISGID bits were not being cleared during
        an inode splice, which, under certain conditions, can be
        exploited by local users to obtain the privileges of a
        group for which they are not a member. Mark Fasheh
        reported this issue.
    
      - CVE-2008-4210
        David Watson reported an issue in the open()/creat()
        system calls which, under certain conditions, can be
        exploited by local users to obtain the privileges of a
        group for which they are not a member.
    
      - CVE-2008-4302
        A coding error in the splice subsystem allows local
        users to attempt to unlock a page structure that has not
        been locked, resulting in a system crash."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6716"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-1514"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3276"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3525"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3833"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-4210"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-4302"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1653"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the linux-2.6, fai-kernels, and user-mode-linux packages.
    
    For the stable distribution (etch), this problem has been fixed in
    version 2.6.18.dfsg.1-22etch3."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-2.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/10/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"fai-kernels", reference:"1.17+etch.22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-doc-2.6.18", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-486", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-686-bigmem", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-alpha", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-arm", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-hppa", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-i386", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-ia64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-mips", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-mipsel", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-powerpc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-s390", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-all-sparc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-alpha-generic", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-alpha-legacy", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-alpha-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-footbridge", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-iop32x", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-itanium", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-ixp4xx", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-k7", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-mckinley", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-parisc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-parisc-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-parisc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-parisc64-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-powerpc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-powerpc-miboot", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-powerpc-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-powerpc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-prep", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-qemu", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-r3k-kn02", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-r4k-ip22", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-r4k-kn04", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-r5k-cobalt", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-r5k-ip32", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-rpc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-s390", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-s390x", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-s3c2410", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-sb1-bcm91250a", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-sb1a-bcm91480b", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-sparc32", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-sparc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-sparc64-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-alpha", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-k7", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-powerpc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-powerpc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-s390x", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-vserver-sparc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-xen", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-xen-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-xen-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-xen-vserver", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-xen-vserver-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.18-6-xen-vserver-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-486", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-686-bigmem", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-alpha-generic", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-alpha-legacy", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-alpha-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-footbridge", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-iop32x", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-itanium", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-ixp4xx", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-k7", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-mckinley", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-parisc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-parisc-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-parisc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-parisc64-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-powerpc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-powerpc-miboot", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-powerpc-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-powerpc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-prep", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-qemu", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-r3k-kn02", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-r4k-ip22", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-r4k-kn04", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-r5k-cobalt", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-r5k-ip32", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-rpc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-s390", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-s390-tape", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-s390x", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-s3c2410", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-sb1-bcm91250a", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-sb1a-bcm91480b", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-sparc32", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-sparc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-sparc64-smp", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-alpha", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-k7", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-powerpc", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-powerpc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-s390x", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-vserver-sparc64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-xen-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-xen-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-xen-vserver-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.18-6-xen-vserver-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-manual-2.6.18", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-6-xen-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-6-xen-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-6-xen-vserver-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-modules-2.6.18-6-xen-vserver-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-patch-debian-2.6.18", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-source-2.6.18", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-support-2.6.18-6", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-tree-2.6.18", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"user-mode-linux", reference:"2.6.18-1um-2etch.22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-6-xen-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-6-xen-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-6-xen-vserver-686", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"xen-linux-system-2.6.18-6-xen-vserver-amd64", reference:"2.6.18.dfsg.1-22etch3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-659-1.NASL
    descriptionIt was discovered that the direct-IO subsystem did not correctly validate certain structures. A local attacker could exploit this to cause a system crash, leading to a denial of service. (CVE-2007-6716) It was discovered that the disabling of the ZERO_PAGE optimization could lead to large memory consumption. A local attacker could exploit this to allocate all available memory, leading to a denial of service. (CVE-2008-2372) It was discovered that the Datagram Congestion Control Protocol (DCCP) did not correctly validate its arguments. If DCCP was in use, a remote attacker could send specially crafted network traffic and cause a system crash, leading to a denial of service. (CVE-2008-3276) It was discovered that the SBNI WAN driver did not correctly check for the NET_ADMIN capability. A malicious local root user lacking CAP_NET_ADMIN would be able to change the WAN device configuration, leading to a denial of service. (CVE-2008-3525) It was discovered that the Stream Control Transmission Protocol (SCTP) did not correctly validate the key length in the SCTP_AUTH_KEY option. If SCTP is in use, a remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2008-3526) It was discovered that the tmpfs implementation did not correctly handle certain sequences of inode operations. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-3534) It was discovered that the readv/writev functions did not correctly handle certain sequences of file operations. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-3535) It was discovered that SCTP did not correctly validate its userspace arguments. A local attacker could call certain sctp_* functions with malicious options and cause a system crash, leading to a denial of service. (CVE-2008-3792, CVE-2008-4113, CVE-2008-4445) It was discovered the the i915 video driver did not correctly validate memory addresses. A local attacker could exploit this to remap memory that could cause a system crash, leading to a denial of service. (CVE-2008-3831) Johann Dahm and David Richter discovered that NFSv4 did not correctly handle certain file ACLs. If NFSv4 is in use, a local attacker could create a malicious ACL that could cause a system crash, leading to a denial of service. (CVE-2008-3915). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36681
    published2009-04-23
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36681
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS : linux, linux-source-2.6.15/22 vulnerabilities (USN-659-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-659-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36681);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:33:02");
    
      script_cve_id("CVE-2007-6716", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3525", "CVE-2008-3526", "CVE-2008-3534", "CVE-2008-3535", "CVE-2008-3792", "CVE-2008-3831", "CVE-2008-3915", "CVE-2008-4113", "CVE-2008-4445");
      script_bugtraq_id(31515, 31792);
      script_xref(name:"USN", value:"659-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : linux, linux-source-2.6.15/22 vulnerabilities (USN-659-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the direct-IO subsystem did not correctly
    validate certain structures. A local attacker could exploit this to
    cause a system crash, leading to a denial of service. (CVE-2007-6716)
    
    It was discovered that the disabling of the ZERO_PAGE optimization
    could lead to large memory consumption. A local attacker could exploit
    this to allocate all available memory, leading to a denial of service.
    (CVE-2008-2372)
    
    It was discovered that the Datagram Congestion Control Protocol (DCCP)
    did not correctly validate its arguments. If DCCP was in use, a remote
    attacker could send specially crafted network traffic and cause a
    system crash, leading to a denial of service. (CVE-2008-3276)
    
    It was discovered that the SBNI WAN driver did not correctly check for
    the NET_ADMIN capability. A malicious local root user lacking
    CAP_NET_ADMIN would be able to change the WAN device configuration,
    leading to a denial of service. (CVE-2008-3525)
    
    It was discovered that the Stream Control Transmission Protocol (SCTP)
    did not correctly validate the key length in the SCTP_AUTH_KEY option.
    If SCTP is in use, a remote attacker could send specially crafted
    network traffic that would crash the system, leading to a denial of
    service. (CVE-2008-3526)
    
    It was discovered that the tmpfs implementation did not correctly
    handle certain sequences of inode operations. A local attacker could
    exploit this to crash the system, leading to a denial of service.
    (CVE-2008-3534)
    
    It was discovered that the readv/writev functions did not correctly
    handle certain sequences of file operations. A local attacker could
    exploit this to crash the system, leading to a denial of service.
    (CVE-2008-3535)
    
    It was discovered that SCTP did not correctly validate its userspace
    arguments. A local attacker could call certain sctp_* functions with
    malicious options and cause a system crash, leading to a denial of
    service. (CVE-2008-3792, CVE-2008-4113, CVE-2008-4445)
    
    It was discovered the the i915 video driver did not correctly validate
    memory addresses. A local attacker could exploit this to remap memory
    that could cause a system crash, leading to a denial of service.
    (CVE-2008-3831)
    
    Johann Dahm and David Richter discovered that NFSv4 did not correctly
    handle certain file ACLs. If NFSv4 is in use, a local attacker could
    create a malicious ACL that could cause a system crash, leading to a
    denial of service. (CVE-2008-3915).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/659-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 119, 189, 200, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.22");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.24");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-openvz");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-ume");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-xeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-cell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-openvz");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ume");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.22");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.24");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/10/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06|7\.10|8\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 7.10 / 8.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2007-6716", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3525", "CVE-2008-3526", "CVE-2008-3534", "CVE-2008-3535", "CVE-2008-3792", "CVE-2008-3831", "CVE-2008-3915", "CVE-2008-4113", "CVE-2008-4445");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-659-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"linux-doc-2.6.15", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52-386", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52-686", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52-amd64-generic", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52-amd64-k8", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52-amd64-server", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52-amd64-xeon", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-52-server", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-52-386", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-52-686", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-52-amd64-generic", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-52-amd64-k8", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-52-amd64-server", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-52-amd64-xeon", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-52-server", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-kernel-devel", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"linux-source-2.6.15", pkgver:"2.6.15-52.73")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-doc-2.6.22", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15-386", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15-generic", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15-rt", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15-server", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15-ume", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15-virtual", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-headers-2.6.22-15-xen", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-386", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-cell", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-generic", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-lpia", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-lpiacompat", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-rt", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-server", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-ume", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-virtual", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-2.6.22-15-xen", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-15-386", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-15-generic", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-15-server", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-image-debug-2.6.22-15-virtual", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-kernel-devel", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-libc-dev", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"linux-source-2.6.22", pkgver:"2.6.22-15.59")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-doc-2.6.24", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21-386", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21-generic", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21-openvz", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21-rt", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21-server", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21-virtual", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-21-xen", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-386", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-generic", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-lpia", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-lpiacompat", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-openvz", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-rt", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-server", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-virtual", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-21-xen", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-21-386", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-21-generic", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-21-server", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-21-virtual", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-kernel-devel", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-libc-dev", pkgver:"2.6.24-21.43")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"linux-source-2.6.24", pkgver:"2.6.24-21.43")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc-2.6.15 / linux-doc-2.6.22 / linux-doc-2.6.24 / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1636.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or leak sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-3272 Tobias Klein reported a locally exploitable data leak in the snd_seq_oss_synth_make_info() function. This may allow local users to gain access to sensitive information. - CVE-2008-3275 Zoltan Sogor discovered a coding error in the VFS that allows local users to exploit a kernel memory leak resulting in a denial of service. - CVE-2008-3276 Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. - CVE-2008-3526 Eugene Teo reported a missing bounds check in the SCTP subsystem. By exploiting an integer overflow in the SCTP_AUTH_KEY handling code, remote attackers may be able to cause a denial of service in the form of a kernel panic. - CVE-2008-3534 Kel Modderman reported an issue in the tmpfs filesystem that allows local users to crash a system by triggering a kernel BUG() assertion. - CVE-2008-3535 Alexey Dobriyan discovered an off-by-one-error in the iov_iter_advance function which can be exploited by local users to crash a system, resulting in a denial of service. - CVE-2008-3792 Vlad Yasevich reported several NULL pointer reference conditions in the SCTP subsystem that can be triggered by entering sctp-auth codepaths when the AUTH feature is inactive. This may allow attackers to cause a denial of service condition via a system panic. - CVE-2008-3915 Johann Dahm and David Richter reported an issue in the nfsd subsystem that may allow remote attackers to cause a denial of service via a buffer overflow.
    last seen2020-06-01
    modified2020-06-02
    plugin id34171
    published2008-09-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34171
    titleDebian DSA-1636-1 : linux-2.6.24 - denial of service/information leak
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1636. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34171);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2008-3272", "CVE-2008-3275", "CVE-2008-3276", "CVE-2008-3526", "CVE-2008-3534", "CVE-2008-3535", "CVE-2008-3792", "CVE-2008-3915");
      script_xref(name:"DSA", value:"1636");
    
      script_name(english:"Debian DSA-1636-1 : linux-2.6.24 - denial of service/information leak");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a denial of service or leak sensitive data. The Common
    Vulnerabilities and Exposures project identifies the following
    problems :
    
      - CVE-2008-3272
        Tobias Klein reported a locally exploitable data leak in
        the snd_seq_oss_synth_make_info() function. This may
        allow local users to gain access to sensitive
        information.
    
      - CVE-2008-3275
        Zoltan Sogor discovered a coding error in the VFS that
        allows local users to exploit a kernel memory leak
        resulting in a denial of service.
    
      - CVE-2008-3276
        Eugene Teo reported an integer overflow in the DCCP
        subsystem that may allow remote attackers to cause a
        denial of service in the form of a kernel panic.
    
      - CVE-2008-3526
        Eugene Teo reported a missing bounds check in the SCTP
        subsystem. By exploiting an integer overflow in the
        SCTP_AUTH_KEY handling code, remote attackers may be
        able to cause a denial of service in the form of a
        kernel panic.
    
      - CVE-2008-3534
        Kel Modderman reported an issue in the tmpfs filesystem
        that allows local users to crash a system by triggering
        a kernel BUG() assertion.
    
      - CVE-2008-3535
        Alexey Dobriyan discovered an off-by-one-error in the
        iov_iter_advance function which can be exploited by
        local users to crash a system, resulting in a denial of
        service.
    
      - CVE-2008-3792
        Vlad Yasevich reported several NULL pointer reference
        conditions in the SCTP subsystem that can be triggered
        by entering sctp-auth codepaths when the AUTH feature is
        inactive. This may allow attackers to cause a denial of
        service condition via a system panic.
    
      - CVE-2008-3915
        Johann Dahm and David Richter reported an issue in the
        nfsd subsystem that may allow remote attackers to cause
        a denial of service via a buffer overflow."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3272"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3276"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3526"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3534"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3535"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3792"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3915"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1636"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the linux-2.6.24 packages.
    
    For the stable distribution (etch), these problems have been fixed in
    version 2.6.24-6~etchnhalf.5."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119, 189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-2.6.24");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/09/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"linux-doc-2.6.24", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-486", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-4kc-malta", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-5kc-malta", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-686", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-686-bigmem", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-alpha", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-amd64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-arm", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-hppa", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-i386", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-ia64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-mips", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-mipsel", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-powerpc", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-s390", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-sparc", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-alpha-generic", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-alpha-legacy", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-alpha-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-amd64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-common", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-footbridge", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-iop32x", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-itanium", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-ixp4xx", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-mckinley", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc64-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc-miboot", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-r4k-ip22", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-r5k-cobalt", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-r5k-ip32", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-s390", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-s390x", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sb1-bcm91250a", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sb1a-bcm91480b", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sparc64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sparc64-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-486", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-4kc-malta", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-5kc-malta", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-686", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-686-bigmem", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-alpha-generic", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-alpha-legacy", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-alpha-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-amd64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-footbridge", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-iop32x", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-itanium", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-ixp4xx", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-mckinley", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc64-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc-miboot", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-r4k-ip22", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-r5k-cobalt", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-r5k-ip32", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-s390", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-s390-tape", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-s390x", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sb1-bcm91250a", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sb1a-bcm91480b", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sparc64", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sparc64-smp", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-manual-2.6.24", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-patch-debian-2.6.24", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-source-2.6.24", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-support-2.6.24-etchnhalf.1", reference:"2.6.24-6~etchnhalf.5")) flag++;
    if (deb_check(release:"4.0", prefix:"linux-tree-2.6.24", reference:"2.6.24-6~etchnhalf.5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0957.NASL
    descriptionFrom Red Hat Security Advisory 2008:0957 : Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug. The kernel packages contain the Linux kernel, the core of any Linux operating system. * the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) * Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) * a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) * a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) * a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) * an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : * random32() seeding has been improved. * in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. * a format string was omitted in the call to the request_module() function. * a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). * a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. * in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. * some of the newer Nehalem-based systems declare their CPU DSDT entries as type
    last seen2020-06-01
    modified2020-06-02
    plugin id67758
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67758
    titleOracle Linux 5 : kernel (ELSA-2008-0957)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2008:0957 and 
    # Oracle Linux Security Advisory ELSA-2008-0957 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67758);
      script_version("1.16");
      script_cvs_date("Date: 2019/10/25 13:36:07");
    
      script_cve_id("CVE-2006-5755", "CVE-2007-5907", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3527", "CVE-2008-3833", "CVE-2008-4210", "CVE-2008-4302");
      script_bugtraq_id(31368);
      script_xref(name:"RHSA", value:"2008:0957");
    
      script_name(english:"Oracle Linux 5 : kernel (ELSA-2008-0957)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2008:0957 :
    
    Updated kernel packages that resolve several security issues and fix
    various bugs are now available for Red Hat Enterprise Linux 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    [Updated 12th November 2008] The original packages distributed with
    this errata had a bug which prevented the Xen kernel booting on older
    hardware. We have updated the packages to correct this bug.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    * the Xen implementation did not prevent applications running in a
    para-virtualized guest from modifying CR4 TSC. This could cause a
    local denial of service. (CVE-2007-5907, Important)
    
    * Tavis Ormandy reported missing boundary checks in the Virtual
    Dynamic Shared Objects (vDSO) implementation. This could allow a local
    unprivileged user to cause a denial of service or escalate privileges.
    (CVE-2008-3527, Important)
    
    * the do_truncate() and generic_file_splice_write() functions did not
    clear the setuid and setgid bits. This could allow a local
    unprivileged user to obtain access to privileged information.
    (CVE-2008-4210, CVE-2008-3833, Important)
    
    * a flaw was found in the Linux kernel splice implementation. This
    could cause a local denial of service when there is a certain failure
    in the add_to_page_cache_lru() function. (CVE-2008-4302, Important)
    
    * a flaw was found in the Linux kernel when running on AMD64 systems.
    During a context switch, EFLAGS were being neither saved nor restored.
    This could allow a local unprivileged user to cause a denial of
    service. (CVE-2006-5755, Low)
    
    * a flaw was found in the Linux kernel virtual memory implementation.
    This could allow a local unprivileged user to cause a denial of
    service. (CVE-2008-2372, Low)
    
    * an integer overflow was discovered in the Linux kernel Datagram
    Congestion Control Protocol (DCCP) implementation. This could allow a
    remote attacker to cause a denial of service. By default, remote DCCP
    is blocked by SELinux. (CVE-2008-3276, Low)
    
    In addition, these updated packages fix the following bugs :
    
    * random32() seeding has been improved.
    
    * in a multi-core environment, a race between the QP async
    event-handler and the destro_qp() function could occur. This led to
    unpredictable results during invalid memory access, which could lead
    to a kernel crash.
    
    * a format string was omitted in the call to the request_module()
    function.
    
    * a stack overflow caused by an infinite recursion bug in the
    binfmt_misc kernel module was corrected.
    
    * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check
    for scatterlist usage before calling kmap_atomic().
    
    * a sentinel NUL byte was added to the device_write() function to
    ensure that lspace.name is NUL-terminated.
    
    * in the character device driver, a range_is_allowed() check was added
    to the read_mem() and write_mem() functions. It was possible for an
    illegitimate application to bypass these checks, and access /dev/mem
    beyond the 1M limit by calling mmap_mem() instead. Also, the
    parameters of range_is_allowed() were changed to cleanly handle
    greater than 32-bits of physical address on 32-bit architectures.
    
    * some of the newer Nehalem-based systems declare their CPU DSDT
    entries as type 'Alias'. During boot, this caused an 'Error attaching
    device data' message to be logged.
    
    * the evtchn event channel device lacked locks and memory barriers.
    This has led to xenstore becoming unresponsive on the Itanium(r)
    architecture.
    
    * sending of gratuitous ARP packets in the Xen frontend network driver
    is now delayed until the backend signals that its carrier status has
    been processed by the stack.
    
    * on forcedeth devices, whenever setting ethtool parameters for link
    speed, the device could stop receiving interrupts.
    
    * the CIFS 'forcedirectio' option did not allow text to be appended to
    files.
    
    * the gettimeofday() function returned a backwards time on Intel(r) 64.
    
    * residual-count corrections during UNDERRUN handling were added to
    the qla2xxx driver.
    
    * the fix for a small quirk was removed for certain Adaptec
    controllers for which it caused problems.
    
    * the 'xm trigger init' command caused a domain panic if a userland
    application was running on a guest on the Intel(r) 64 architecture.
    
    Users of kernel should upgrade to these updated packages, which
    contain backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000785.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(20, 189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-PAE");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-PAE-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2006-5755", "CVE-2007-5907", "CVE-2008-2372", "CVE-2008-3276", "CVE-2008-3527", "CVE-2008-3833", "CVE-2008-4210", "CVE-2008-4302");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2008-0957");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL5", rpm:"kernel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-PAE-2.6.18") && rpm_check(release:"EL5", cpu:"i386", reference:"kernel-PAE-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-PAE-devel-2.6.18") && rpm_check(release:"EL5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-debug-2.6.18") && rpm_check(release:"EL5", reference:"kernel-debug-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-debug-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-debug-devel-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-devel-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-doc-2.6.18") && rpm_check(release:"EL5", reference:"kernel-doc-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-headers-2.6.18") && rpm_check(release:"EL5", reference:"kernel-headers-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-xen-2.6.18") && rpm_check(release:"EL5", reference:"kernel-xen-2.6.18-92.1.17.0.1.el5")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-xen-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-xen-devel-2.6.18-92.1.17.0.1.el5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    

Oval

accepted2013-04-29T04:14:29.177-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionInteger overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.
familyunix
idoval:org.mitre.oval:def:11506
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleInteger overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.
version18

Redhat

advisories
  • rhsa
    idRHSA-2008:0857
  • rhsa
    idRHSA-2008:0957
rpms
  • kernel-rt-0:2.6.24.7-81.el5rt
  • kernel-rt-debug-0:2.6.24.7-81.el5rt
  • kernel-rt-debug-debuginfo-0:2.6.24.7-81.el5rt
  • kernel-rt-debug-devel-0:2.6.24.7-81.el5rt
  • kernel-rt-debuginfo-0:2.6.24.7-81.el5rt
  • kernel-rt-debuginfo-common-0:2.6.24.7-81.el5rt
  • kernel-rt-devel-0:2.6.24.7-81.el5rt
  • kernel-rt-doc-0:2.6.24.7-81.el5rt
  • kernel-rt-trace-0:2.6.24.7-81.el5rt
  • kernel-rt-trace-debuginfo-0:2.6.24.7-81.el5rt
  • kernel-rt-trace-devel-0:2.6.24.7-81.el5rt
  • kernel-rt-vanilla-0:2.6.24.7-81.el5rt
  • kernel-rt-vanilla-debuginfo-0:2.6.24.7-81.el5rt
  • kernel-rt-vanilla-devel-0:2.6.24.7-81.el5rt
  • kernel-0:2.6.18-92.1.18.el5
  • kernel-PAE-0:2.6.18-92.1.18.el5
  • kernel-PAE-debuginfo-0:2.6.18-92.1.18.el5
  • kernel-PAE-devel-0:2.6.18-92.1.18.el5
  • kernel-debug-0:2.6.18-92.1.18.el5
  • kernel-debug-debuginfo-0:2.6.18-92.1.18.el5
  • kernel-debug-devel-0:2.6.18-92.1.18.el5
  • kernel-debuginfo-0:2.6.18-92.1.18.el5
  • kernel-debuginfo-common-0:2.6.18-92.1.18.el5
  • kernel-devel-0:2.6.18-92.1.18.el5
  • kernel-doc-0:2.6.18-92.1.18.el5
  • kernel-headers-0:2.6.18-92.1.18.el5
  • kernel-kdump-0:2.6.18-92.1.18.el5
  • kernel-kdump-debuginfo-0:2.6.18-92.1.18.el5
  • kernel-kdump-devel-0:2.6.18-92.1.18.el5
  • kernel-xen-0:2.6.18-92.1.18.el5
  • kernel-xen-debuginfo-0:2.6.18-92.1.18.el5
  • kernel-xen-devel-0:2.6.18-92.1.18.el5