Vulnerabilities > CVE-2008-4934 - Improper Input Validation vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0014.NASL description From Red Hat Security Advisory 2009:0014 : Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the last seen 2020-06-01 modified 2020-06-02 plugin id 67790 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67790 title Oracle Linux 4 : kernel (ELSA-2009-0014) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0014 and # Oracle Linux Security Advisory ELSA-2009-0014 respectively. # include("compat.inc"); if (description) { script_id(67790); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2008-3275", "CVE-2008-4933", "CVE-2008-4934", "CVE-2008-5025", "CVE-2008-5029", "CVE-2008-5300", "CVE-2008-5702"); script_bugtraq_id(30647, 32093, 32154, 32289); script_xref(name:"RHSA", value:"2009:0014"); script_name(english:"Oracle Linux 4 : kernel (ELSA-2009-0014)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2009:0014 : Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low) * the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs : * when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. * mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. * attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. * after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. * writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. * on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. * a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. * a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. * the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. * the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization. All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2009-January/000864.html" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-hugemem-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-largesmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-largesmp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-smp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xenU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xenU-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/12"); script_set_attribute(attribute:"patch_publication_date", value:"2009/01/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2008-3275", "CVE-2008-4933", "CVE-2008-4934", "CVE-2008-5025", "CVE-2008-5029", "CVE-2008-5300", "CVE-2008-5702"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2009-0014"); } else { __rpm_report = ksplice_reporting_text(); } } kernel_major_minor = get_kb_item("Host/uname/major_minor"); if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level."); expected_kernel_major_minor = "2.6"; if (kernel_major_minor != expected_kernel_major_minor) audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor); flag = 0; if (rpm_exists(release:"EL4", rpm:"kernel-2.6.9") && rpm_check(release:"EL4", reference:"kernel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-devel-2.6.9") && rpm_check(release:"EL4", reference:"kernel-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-doc-2.6.9") && rpm_check(release:"EL4", reference:"kernel-doc-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-hugemem-2.6.9") && rpm_check(release:"EL4", cpu:"i386", reference:"kernel-hugemem-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-hugemem-devel-2.6.9") && rpm_check(release:"EL4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-largesmp-2.6.9") && rpm_check(release:"EL4", cpu:"ia64", reference:"kernel-largesmp-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-largesmp-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-largesmp-devel-2.6.9") && rpm_check(release:"EL4", cpu:"ia64", reference:"kernel-largesmp-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-largesmp-devel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-smp-2.6.9") && rpm_check(release:"EL4", cpu:"i386", reference:"kernel-smp-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-smp-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-smp-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-smp-devel-2.6.9") && rpm_check(release:"EL4", cpu:"i386", reference:"kernel-smp-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-smp-devel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-xenU-2.6.9") && rpm_check(release:"EL4", cpu:"i386", reference:"kernel-xenU-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-xenU-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-xenU-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-xenU-devel-2.6.9") && rpm_check(release:"EL4", cpu:"i386", reference:"kernel-xenU-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (rpm_exists(release:"EL4", rpm:"kernel-xenU-devel-2.6.9") && rpm_check(release:"EL4", cpu:"x86_64", reference:"kernel-xenU-devel-2.6.9-78.0.13.0.1.EL")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0014.NASL description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the last seen 2020-06-01 modified 2020-06-02 plugin id 35381 published 2009-01-15 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35381 title RHEL 4 : kernel (RHSA-2009:0014) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0014. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(35381); script_version ("1.31"); script_cvs_date("Date: 2019/10/25 13:36:13"); script_cve_id("CVE-2008-3275", "CVE-2008-4933", "CVE-2008-4934", "CVE-2008-5025", "CVE-2008-5029", "CVE-2008-5300", "CVE-2008-5702"); script_bugtraq_id(30647, 32093, 32154, 32289); script_xref(name:"RHSA", value:"2009:0014"); script_name(english:"RHEL 4 : kernel (RHSA-2009:0014)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low) * the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs : * when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. * mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. * attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. * after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. * writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. * on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. * a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. * a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. * the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. * the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization. All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-3275" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-4933" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-4934" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-5025" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-5029" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-5300" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-5702" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2009:0014" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-largesmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-largesmp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xenU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xenU-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/12"); script_set_attribute(attribute:"patch_publication_date", value:"2009/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2008-3275", "CVE-2008-4933", "CVE-2008-4934", "CVE-2008-5025", "CVE-2008-5029", "CVE-2008-5300", "CVE-2008-5702"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2009:0014"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2009:0014"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"kernel-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", reference:"kernel-devel-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", reference:"kernel-doc-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-hugemem-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-hugemem-devel-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-smp-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-smp-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-smp-devel-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-xenU-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-xenU-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"i686", reference:"kernel-xenU-devel-2.6.9-78.0.13.EL")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"kernel-xenU-devel-2.6.9-78.0.13.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1681.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-3528 Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. - CVE-2008-4554 Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. - CVE-2008-4576 Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. - CVE-2008-4618 Wei Yongjun reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel panic. - CVE-2008-4933 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. - CVE-2008-4934 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. - CVE-2008-5025 Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. - CVE-2008-5029 Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. - CVE-2008-5134 Johannes Berg reported a remote DoS issue in the libertas wireless driver, which can be triggered by a specially crafted beacon/probe response. - CVE-2008-5182 Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. - CVE-2008-5300 Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem. last seen 2020-06-01 modified 2020-06-02 plugin id 35036 published 2008-12-05 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35036 title Debian DSA-1681-1 : linux-2.6.24 - denial of service/privilege escalation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1681. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(35036); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-3528", "CVE-2008-4554", "CVE-2008-4576", "CVE-2008-4618", "CVE-2008-4933", "CVE-2008-4934", "CVE-2008-5025", "CVE-2008-5029", "CVE-2008-5134", "CVE-2008-5182", "CVE-2008-5300"); script_bugtraq_id(31634, 31903, 32093, 32154, 32289); script_xref(name:"DSA", value:"1681"); script_name(english:"Debian DSA-1681-1 : linux-2.6.24 - denial of service/privilege escalation"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-3528 Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. - CVE-2008-4554 Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. - CVE-2008-4576 Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. - CVE-2008-4618 Wei Yongjun reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel panic. - CVE-2008-4933 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. - CVE-2008-4934 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. - CVE-2008-5025 Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. - CVE-2008-5029 Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. - CVE-2008-5134 Johannes Berg reported a remote DoS issue in the libertas wireless driver, which can be triggered by a specially crafted beacon/probe response. - CVE-2008-5182 Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. - CVE-2008-5300 Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-3528" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4554" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4576" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4618" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4933" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4934" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-5025" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-5029" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-5134" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-5182" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-5300" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1681" ); script_set_attribute( attribute:"solution", value: "Upgrade the linux-2.6.24 packages. For the stable distribution (etch), these problems have been fixed in version 2.6.24-6~etchnhalf.7." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119, 264, 287, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-2.6.24"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/27"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"linux-doc-2.6.24", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-486", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-4kc-malta", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-5kc-malta", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-686", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-686-bigmem", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-alpha", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-amd64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-arm", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-hppa", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-i386", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-ia64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-mips", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-mipsel", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-powerpc", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-s390", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-all-sparc", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-alpha-generic", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-alpha-legacy", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-alpha-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-amd64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-common", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-footbridge", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-iop32x", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-itanium", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-ixp4xx", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-mckinley", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-parisc64-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc-miboot", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-powerpc64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-r4k-ip22", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-r5k-cobalt", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-r5k-ip32", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-s390", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-s390x", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sb1-bcm91250a", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sb1a-bcm91480b", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sparc64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-headers-2.6.24-etchnhalf.1-sparc64-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-486", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-4kc-malta", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-5kc-malta", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-686", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-686-bigmem", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-alpha-generic", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-alpha-legacy", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-alpha-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-amd64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-footbridge", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-iop32x", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-itanium", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-ixp4xx", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-mckinley", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-parisc64-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc-miboot", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-powerpc64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-r4k-ip22", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-r5k-cobalt", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-r5k-ip32", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-s390", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-s390-tape", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-s390x", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sb1-bcm91250a", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sb1a-bcm91480b", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sparc64", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-image-2.6.24-etchnhalf.1-sparc64-smp", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-manual-2.6.24", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-patch-debian-2.6.24", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-source-2.6.24", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-support-2.6.24-etchnhalf.1", reference:"2.6.24-6~etchnhalf.7")) flag++; if (deb_check(release:"4.0", prefix:"linux-tree-2.6.24", reference:"2.6.24-6~etchnhalf.7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0264.NASL description Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) * the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) In addition, these updated packages fix the following bugs : * when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. * the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. * nfs_create_rpc_client was called with a last seen 2020-06-01 modified 2020-06-02 plugin id 35645 published 2009-02-12 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35645 title RHEL 5 : kernel (RHSA-2009:0264) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0014.NASL description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the last seen 2020-06-01 modified 2020-06-02 plugin id 43727 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43727 title CentOS 4 : kernel (CESA-2009:0014) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0264.NASL description From Red Hat Security Advisory 2009:0264 : Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) * the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) In addition, these updated packages fix the following bugs : * when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. * the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. * nfs_create_rpc_client was called with a last seen 2020-06-01 modified 2020-06-02 plugin id 67800 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67800 title Oracle Linux 5 : kernel (ELSA-2009-0264) NASL family Scientific Linux Local Security Checks NASL id SL_20090114_KERNEL_ON_SL4_X.NASL description This update addresses the following security issues : - the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) - when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) - a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) - a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the last seen 2020-06-01 modified 2020-06-02 plugin id 60520 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60520 title Scientific Linux Security Update : kernel on SL4.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-234.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function. (CVE-2008-4933) The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image. (CVE-2008-4934) The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. (CVE-2008-5029) Additionaly, support for a broadcom bluetooth dongle was added to btusb driver, an eeepc shutdown hang caused by snd-hda-intel was fixed, a Realtek auto-mute bug was fixed, the pcspkr driver was reenabled, an acpi brightness setting issue on some laptops was fixed, sata_nv (NVidia) driver bugs were fixed, horizontal mousewheel scrolling with Logitech V150 mouse was fixed, and more. Check the changelog and related bugs for more details. This kernel also fixes the driver for Intel G45/GM45 video chipsets, in a way requiring also an updated Xorg driver, which is also being provided in this update. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 38027 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38027 title Mandriva Linux Security Advisory : kernel (MDVSA-2008:234) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-679-1.NASL description It was discovered that the Xen hypervisor block driver did not correctly validate requests. A user with root privileges in a guest OS could make a malicious IO request with a large number of blocks that would crash the host OS, leading to a denial of service. This only affected Ubuntu 7.10. (CVE-2007-5498) It was discovered the the i915 video driver did not correctly validate memory addresses. A local attacker could exploit this to remap memory that could cause a system crash, leading to a denial of service. This issue did not affect Ubuntu 6.06 and was previous fixed for Ubuntu 7.10 and 8.04 in USN-659-1. Ubuntu 8.10 has now been corrected as well. (CVE-2008-3831) David Watson discovered that the kernel did not correctly strip permissions when creating files in setgid directories. A local user could exploit this to gain additional group privileges. This issue only affected Ubuntu 6.06. (CVE-2008-4210) Olaf Kirch and Miklos Szeredi discovered that the Linux kernel did not correctly reject the last seen 2020-06-01 modified 2020-06-02 plugin id 37683 published 2009-04-23 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37683 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : linux, linux-source-2.6.15/22 vulnerabilities (USN-679-1) NASL family Scientific Linux Local Security Checks NASL id SL_20090210_KERNEL_ON_SL5_X.NASL description This update addresses the following security issues : - a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) - a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) - a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) - the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) - a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) - when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue. (CVE-2008-5029, Important) - a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service. (CVE-2008-5079, Important) - a race condition was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 60532 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60532 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1687.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-3527 Tavis Ormandy reported a local DoS and potential privilege escalation in the Virtual Dynamic Shared Objects (vDSO) implementation. - CVE-2008-3528 Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. - CVE-2008-4554 Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. - CVE-2008-4576 Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. - CVE-2008-4933 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. - CVE-2008-4934 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. - CVE-2008-5025 Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. - CVE-2008-5029 Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. - CVE-2008-5079 Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. - CVE-2008-5182 Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. - CVE-2008-5300 Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem. last seen 2020-06-01 modified 2020-06-02 plugin id 35174 published 2008-12-16 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35174 title Debian DSA-1687-1 : linux-2.6 - denial of service/privilege escalation
Oval
| accepted | 2013-04-29T04:15:08.457-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image. | ||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:11635 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
| title | The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image. | ||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.28-rc1
- http://www.openwall.com/lists/oss-security/2008/11/03/2
- http://secunia.com/advisories/32510
- http://secunia.com/advisories/32918
- http://www.ubuntu.com/usn/usn-679-1
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:234
- http://www.debian.org/security/2008/dsa-1687
- http://secunia.com/advisories/33180
- http://secunia.com/advisories/32998
- http://www.debian.org/security/2008/dsa-1681
- http://secunia.com/advisories/33556
- http://www.redhat.com/support/errata/RHSA-2009-0014.html
- http://secunia.com/advisories/33858
- http://rhn.redhat.com/errata/RHSA-2009-0264.html
- http://www.securityfocus.com/bid/32096
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46327
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11635
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git%3Ba=commit%3Bh=649f1ee6c705aab644035a7998d7b574193a598a