Vulnerabilities > CVE-2009-2692 - Use of Uninitialized Resource vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc). CVE-2009-2692. Local exploit for linux platform id EDB-ID:9545 last seen 2016-02-01 modified 2009-08-31 published 2009-08-31 reporter Ramon Valle source https://www.exploit-db.com/download/9545/ title Linux Kernel 2.4 / 2.6 - sock_sendpage Local Root Exploit PPC Edition description Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver). CVE-2009-2692. Local exploit for linux platform id EDB-ID:9479 last seen 2016-02-01 modified 2009-08-24 published 2009-08-24 reporter INetCop Security source https://www.exploit-db.com/download/9479/ title Linux Kernel 2.4 / 2.6 - sock_sendpage ring0 Root Exploit 1 description Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit. CVE-2009-2692. Local exploit for linux platform id EDB-ID:9435 last seen 2016-02-01 modified 2009-08-14 published 2009-08-14 reporter spender source https://www.exploit-db.com/download/9435/ title Linux Kernel 2.x - sock_sendpage Local Ring0 Root Exploit 1 description Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]. CVE-2009-2692. Local exploit for linux platform id EDB-ID:9641 last seen 2016-02-01 modified 2009-09-11 published 2009-09-11 reporter Ramon Valle source https://www.exploit-db.com/download/9641/ title Linux Kernel 2.4 / 2.6 - sock_sendpage Local Root Exploit 3 description Linux Kernel Sendpage Local Privilege Escalation. CVE-2009-2692. Local exploit for linux platform file exploits/linux/local/19933.rb id EDB-ID:19933 last seen 2016-02-02 modified 2012-07-19 platform linux port published 2012-07-19 reporter metasploit source https://www.exploit-db.com/download/19933/ title Linux Kernel - Sendpage Local Privilege Escalation type local description Linux Kernel 2.x sock_sendpage() Local Root Exploit #2. CVE-2009-2692. Local exploit for linux platform id EDB-ID:9436 last seen 2016-02-01 modified 2009-08-14 published 2009-08-14 reporter Przemyslaw Frasunek source https://www.exploit-db.com/download/9436/ title Linux Kernel 2.x - sock_sendpage Local Root Exploit 2 description Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [2]. CVE-2009-2692. Local exploit for linux platform id EDB-ID:9598 last seen 2016-02-01 modified 2009-09-09 published 2009-09-09 reporter Ramon Valle source https://www.exploit-db.com/download/9598/ title Linux Kernel 2.4 / 2.6 - sock_sendpage Local Root Exploit 2 description Linux Kernel 2.x sock_sendpage() Local Root Exploit (Android Edition). CVE-2009-2692. Local exploit for android platform file exploits/android/local/9477.txt id EDB-ID:9477 last seen 2016-02-01 modified 2009-08-18 platform android port published 2009-08-18 reporter Zinx source https://www.exploit-db.com/download/9477/ title Linux Kernel 2.x - sock_sendpage Local Root Exploit Android Edition type local
Metasploit
description The Linux kernel failed to properly initialize some entries in the proto_ops struct for several protocols, leading to NULL being dereferenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 This module has been tested successfully on CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5; and Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386. id MSF:EXPLOIT/LINUX/LOCAL/SOCK_SENDPAGE last seen 2020-06-10 modified 2019-11-03 published 2013-06-02 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/sock_sendpage.rb title Linux Kernel Sendpage Local Privilege Escalation description The Linux kernel failed to properly initialize some entries in the proto_ops struct for several protocols, leading to NULL being dereferenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 This module has been tested successfully on CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5; and Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386. id MSF:AUXILIARY/SCANNER/HTTP/KODI_TRAVERSAL last seen 2020-06-14 modified 2019-11-03 published 2013-06-02 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/sock_sendpage.rb title Linux Kernel Sendpage Local Privilege Escalation
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1233.NASL description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 40795 published 2009-08-28 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40795 title RHEL 3 : kernel (RHSA-2009:1233) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:1233. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(40795); script_version ("1.30"); script_cvs_date("Date: 2019/10/25 13:36:14"); script_cve_id("CVE-2009-2692", "CVE-2009-2698"); script_bugtraq_id(36038, 36108); script_xref(name:"RHSA", value:"2009:1233"); script_name(english:"RHEL 3 : kernel (RHSA-2009:1233)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-2692" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-2698" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2009:1233" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel Sendpage Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp-unsupported"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-unsupported"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2009-2692", "CVE-2009-2698"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2009:1233"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2009:1233"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"kernel-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i386", reference:"kernel-BOOT-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-doc-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-hugemem-unsupported-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"i686", reference:"kernel-smp-unsupported-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", cpu:"x86_64", reference:"kernel-smp-unsupported-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-source-2.4.21-60.EL")) flag++; if (rpm_check(release:"RHEL3", reference:"kernel-unsupported-2.4.21-60.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc"); } }NASL family SuSE Local Security Checks NASL id SUSE_11_0_KERNEL-090814.NASL description This kernel update for openSUSE 11.0 fixes some bugs and several security problems. The following security issues are fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. CVE-2009-1895: Personality flags on set*id were not cleared correctly, so ASLR and NULL page protection could be bypassed. CVE-2009-1046: A utf-8 console memory corruption that can be used for local privilege escalation was fixed. The NULL page protection using mmap_min_addr was enabled (was disabled before). No CVE yet: A sigaltstack kernel memory disclosure was fixed. CVE-2008-5033: A local denial of service (Oops) in video4linux tvaudio was fixed. CVE-2009-1385: A Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size. last seen 2020-06-01 modified 2020-06-02 plugin id 40783 published 2009-08-27 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40783 title openSUSE Security Update : kernel (kernel-1211) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update kernel-1211. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(40783); script_version("1.13"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2008-5033", "CVE-2009-1046", "CVE-2009-1385", "CVE-2009-1389", "CVE-2009-1895", "CVE-2009-2406", "CVE-2009-2407", "CVE-2009-2692"); script_name(english:"openSUSE Security Update : kernel (kernel-1211)"); script_summary(english:"Check for the kernel-1211 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This kernel update for openSUSE 11.0 fixes some bugs and several security problems. The following security issues are fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. CVE-2009-1895: Personality flags on set*id were not cleared correctly, so ASLR and NULL page protection could be bypassed. CVE-2009-1046: A utf-8 console memory corruption that can be used for local privilege escalation was fixed. The NULL page protection using mmap_min_addr was enabled (was disabled before). No CVE yet: A sigaltstack kernel memory disclosure was fixed. CVE-2008-5033: A local denial of service (Oops) in video4linux tvaudio was fixed. CVE-2009-1385: A Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=444982" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=474549" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=478462" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=478699" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=503870" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=509822" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=511243" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=521427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=522686" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=522914" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=523719" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=527848" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=530151" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel Sendpage Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 119, 189, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:acerhk-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:acx-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:appleir-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:at76_usb-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:atl2-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:aufs-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:dazuko-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:drbd-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gspcav-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:iscsitarget-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ivtv-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kqemu-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nouveau-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:omnibook-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pcc-acpi-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pcfclock-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tpctl-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:uvcvideo-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-ose-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-kmp-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:wlan-ng-kmp-debug"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"acerhk-kmp-debug-0.5.35_2.6.25.20_0.5-98.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"acx-kmp-debug-20080210_2.6.25.20_0.5-3.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"appleir-kmp-debug-1.1_2.6.25.20_0.5-108.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"at76_usb-kmp-debug-0.17_2.6.25.20_0.5-2.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"atl2-kmp-debug-2.0.4_2.6.25.20_0.5-4.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"aufs-kmp-debug-cvs20080429_2.6.25.20_0.5-13.3") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"dazuko-kmp-debug-2.3.4.4_2.6.25.20_0.5-42.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"drbd-kmp-debug-8.2.6_2.6.25.20_0.5-0.2") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"gspcav-kmp-debug-01.00.20_2.6.25.20_0.5-1.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"iscsitarget-kmp-debug-0.4.15_2.6.25.20_0.5-63.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"ivtv-kmp-debug-1.0.3_2.6.25.20_0.5-66.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kernel-debug-2.6.25.20-0.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kernel-default-2.6.25.20-0.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kernel-pae-2.6.25.20-0.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kernel-source-2.6.25.20-0.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kernel-syms-2.6.25.20-0.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kernel-vanilla-2.6.25.20-0.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kernel-xen-2.6.25.20-0.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"kqemu-kmp-debug-1.3.0pre11_2.6.25.20_0.5-7.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"nouveau-kmp-debug-0.10.1.20081112_2.6.25.20_0.5-0.4") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"omnibook-kmp-debug-20080313_2.6.25.20_0.5-1.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"pcc-acpi-kmp-debug-0.9_2.6.25.20_0.5-4.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"pcfclock-kmp-debug-0.44_2.6.25.20_0.5-207.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"tpctl-kmp-debug-4.17_2.6.25.20_0.5-189.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"uvcvideo-kmp-debug-r200_2.6.25.20_0.5-2.4") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"virtualbox-ose-kmp-debug-1.5.6_2.6.25.20_0.5-33.3") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"vmware-kmp-debug-2008.04.14_2.6.25.20_0.5-21.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"wlan-ng-kmp-debug-0.2.8_2.6.25.20_0.5-107.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "acerhk-kmp-debug / acx-kmp-debug / appleir-kmp-debug / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6439.NASL description This patch updates the SUSE Linux Enterprise 10 SP2 kernel to fix various bugs and some security issues. The following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (No cve yet) A information leak from using sigaltstack was fixed. Enabled -fno-delete-null-pointer-checks to avoid optimizing away NULL pointer checks and fixed Makefiles to make sure -fwrapv is used everywhere. CVE-2009-1758: The hypervisor_callback function in Xen allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in last seen 2020-06-01 modified 2020-06-02 plugin id 41540 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41540 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6439) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2013-0039.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 79507 published 2014-11-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79507 title OracleVM 2.2 : kernel (OVMSA-2013-0039) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2009-0023.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - backport for online resize of blockdev [orabug 8585251] [rh bugz 444964] - CVE-2009-2692 - [net] make sock_sendpage use kernel_sendpage (Jiri Pirko) [517445 516955] - CVE-2009-2698 - [net] prevent null pointer dereference in udp_sendmsg (Vitaly Mayatskikh) [518047 518043] - Updated cciss module to 3.6.20 - update bnx2x 1.48.107 - update bnx2 1.8.8b - update bfa to 1.1.0.9-0 [bugz 9518] - Fix dom0 crash in loopback_start_xmit+0x107/0x2BD [bug 7634343] last seen 2020-06-01 modified 2020-06-02 plugin id 79465 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79465 title OracleVM 2.1 : kernel (OVMSA-2009-0023) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-819-1.NASL description Tavis Ormandy and Julien Tinnes discovered that Linux did not correctly initialize certain socket operation function pointers. A local attacker could exploit this to gain root privileges. By default, Ubuntu 8.04 and later with a non-zero /proc/sys/vm/mmap_min_addr setting were not vulnerable. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40658 published 2009-08-20 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40658 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerability (USN-819-1) NASL family Scientific Linux Local Security Checks NASL id SL_20090827_KERNEL_ON_SL3_X.NASL description CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc CVE-2009-2698 kernel: udp socket NULL ptr dereference These updated packages fix the following security issues : - a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) - a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 60648 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60648 title Scientific Linux Security Update : kernel on SL3.x i386/x86_64 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1233.NASL description From Red Hat Security Advisory 2009:1233 : Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 67917 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67917 title Oracle Linux 3 : kernel (ELSA-2009-1233) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1862.NASL description A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem : - CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 44727 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44727 title Debian DSA-1862-1 : linux-2.6 - privilege escalation NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1222.NASL description From Red Hat Security Advisory 2009:1222 : Updated kernel packages that fix two security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug : * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running last seen 2020-06-01 modified 2020-06-02 plugin id 67914 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67914 title Oracle Linux 5 : kernel (ELSA-2009-1222) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-090816.NASL description The SUSE Linux Enterprise 11 Kernel was updated to 2.6.27.29 fixing various bugs and security issues. The following security issues were fixed : - A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (CVE-2009-2692) - A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. (CVE-2009-2406) - A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. (CVE-2009-2407) The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. - A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. (CVE-2009-1389) No CVE yet: A sigaltstack kernel memory disclosure was fixed. The NULL page protection using mmap_min_addr was enabled (was disabled before). This update also adds the Microsoft Hyper-V drivers from upstream. Additionaly a lot of bugs were fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 41414 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41414 title SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 1212 / 1218 / 1219) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6440.NASL description This kernel update for openSUSE 10.3 fixes some bugs and several security problems. The following security issues are fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. CVE-2009-0676: A memory disclosure via the SO_BSDCOMPAT socket option was fixed. CVE-2009-1630: The nfs_permission function in fs/nfs/dir.c in the NFS client implementation when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. random: make get_random_int() was made more random to enhance ASLR protection. last seen 2020-06-01 modified 2020-06-02 plugin id 42009 published 2009-10-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42009 title openSUSE 10 Security Update : kernel (kernel-6440) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1233.NASL description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 40808 published 2009-08-31 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40808 title CentOS 3 : kernel (CESA-2009:1233) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1222.NASL description Updated kernel packages that fix two security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug : * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running last seen 2020-06-01 modified 2020-06-02 plugin id 43777 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43777 title CentOS 5 : kernel (CESA-2009:1222) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1222.NASL description Updated kernel packages that fix two security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug : * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running last seen 2020-06-01 modified 2020-06-02 plugin id 40765 published 2009-08-25 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40765 title RHEL 5 : kernel (RHSA-2009:1222) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1223.NASL description From Red Hat Security Advisory 2009:1223 : Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 67915 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67915 title Oracle Linux 4 : kernel (ELSA-2009-1223) NASL family Fedora Local Security Checks NASL id FEDORA_2009-8649.NASL description Fix sock_sendpage NULL pointer dereference. CVE-2009-2692. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40606 published 2009-08-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40606 title Fedora 11 : kernel-2.6.29.6-217.2.7.fc11 (2009-8649) NASL family SuSE Local Security Checks NASL id SUSE_11_1_KERNEL-090816.NASL description The SUSE Linux Enterprise 11 Kernel was updated to 2.6.27.29 fixing various bugs and security issues. Following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. No CVE yet: A sigaltstack kernel memory disclosure was fixed. The NULL page protection using mmap_min_addr was enabled (was disabled before). This update also adds the Microsoft Hyper-V drivers from upstream. last seen 2020-06-01 modified 2020-06-02 plugin id 40789 published 2009-08-27 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40789 title openSUSE Security Update : kernel (kernel-1214) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1457.NASL description Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than what could be handled. This could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 63896 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63896 title RHEL 5 : kernel (RHSA-2009:1457) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6437.NASL description This patch updates the SUSE Linux Enterprise 10 SP2 kernel to fix various bugs and some security issues. The following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (No cve yet) A information leak from using sigaltstack was fixed. Enabled -fno-delete-null-pointer-checks to avoid optimizing away NULL pointer checks and fixed Makefiles to make sure -fwrapv is used everywhere. CVE-2009-1758: The hypervisor_callback function in Xen allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in last seen 2020-06-01 modified 2020-06-02 plugin id 59138 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59138 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6437) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0016.NASL description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. b. Update Apache Tomcat version Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5) which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. c. Third-party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 42870 published 2009-11-23 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42870 title VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components. NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1865.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-1385 Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. - CVE-2009-1389 Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. - CVE-2009-1630 Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. - CVE-2009-1633 Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. - CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 44730 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44730 title Debian DSA-1865-1 : linux-2.6 - denial of service/privilege escalation NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1223.NASL description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 40753 published 2009-08-25 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40753 title CentOS 4 : kernel (CESA-2009:1223) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0010.NASL description a. Service Console update for COS kernel The service console package kernel is updated to version 2.4.21-63. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-5029, CVE-2008-5300, CVE-2009-1337, CVE-2009-1385, CVE-2009-1895, CVE-2009-2848, CVE-2009-3002, and CVE-2009-3547 to the security issues fixed in kernel-2.4.21-63. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2698, CVE-2009-2692 to the security issues fixed in kernel-2.4.21-60. last seen 2020-06-01 modified 2020-06-02 plugin id 47150 published 2010-06-28 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47150 title VMSA-2010-0010 : ESX 3.5 third-party update for Service Console kernel NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1223.NASL description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 40766 published 2009-08-25 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40766 title RHEL 4 : kernel (RHSA-2009:1223) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1469.NASL description Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than what could be handled. This could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 63899 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63899 title RHEL 4 : kernel (RHSA-2009:1469) NASL family Misc. NASL id VMWARE_VMSA-2009-0016_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Geronimo - Apache Tomcat - Apache Xerces2 - cURL/libcURL - ISC BIND - Libxml2 - Linux kernel - Linux kernel 64-bit - Linux kernel Common Internet File System - Linux kernel eCryptfs - NTP - Python - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Abstract Window Toolkit (AWT) - Java SE Plugin - Java SE Provider - Java SE Swing - Java SE Web Start last seen 2020-06-01 modified 2020-06-02 plugin id 89117 published 2016-03-03 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89117 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1864.NASL description A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem : - CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 44729 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44729 title Debian DSA-1864-1 : linux-2.6.24 - privilege escalation NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-205.NASL description A vulnerability was discovered and corrected in the Linux 2.6 kernel : The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation on a PF_PPPOX socket. (CVE-2009-2692) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 40637 published 2009-08-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40637 title Mandriva Linux Security Advisory : kernel (MDVSA-2009:205) NASL family Fedora Local Security Checks NASL id FEDORA_2009-8647.NASL description Fix sock_sendpage NULL pointer dereference. CVE-2009-2692. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40605 published 2009-08-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40605 title Fedora 10 : kernel-2.6.27.29-170.2.79.fc10 (2009-8647) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-230-01.NASL description New Linux kernel packages are available for Slackware 12.2 and -current to address a security issue. A kernel bug discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team could allow a local user to fill memory page zero with arbitrary code and then use the kernel sendpage operation to trigger a NULL pointer dereference, executing the code in the context of the kernel. If successfully exploited, this bug can be used to gain root access. At this time we have prepared fixed kernels for the stable version of Slackware (12.2), as well as for both 32-bit x86 and x86_64 -current versions. Additionally, we have added a package to the /patches directory for Slackware 12.1 and 12.2 that will set the minimum memory page that can be mmap()ed from userspace without additional privileges to 4096. The package will work with any kernel supporting the vm.mmap_min_addr tunable, and should significantly reduce the potential harm from this bug, as well as future similar bugs that might be found in the kernel. More updated kernels may follow. last seen 2020-06-01 modified 2020-06-02 plugin id 40622 published 2009-08-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40622 title Slackware 12.2 / current : kernel (SSA:2009-230-01) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-233.NASL description A vulnerability was discovered and corrected in the Linux 2.6 kernel : The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation on a PF_PPPOX socket. (CVE-2009-2692) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 40980 published 2009-09-15 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40980 title Mandriva Linux Security Advisory : kernel (MDVSA-2009:233) NASL family Scientific Linux Local Security Checks NASL id SL_20090824_KERNEL_ON_SL5_X.NASL description CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc CVE-2009-2698 kernel: udp socket NULL ptr dereference These updated packages fix the following security issues : - a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) - a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) These updated packages also fix the following bug : - in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running last seen 2020-06-01 modified 2020-06-02 plugin id 60646 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60646 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
Oval
accepted 2010-08-23T04:00:08.690-04:00 class vulnerability contributors name Chandan M C organization Hewlett-Packard definition_extensions comment VMware ESX Server 3.5.0 is installed oval oval:org.mitre.oval:def:5887 description The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket. family unix id oval:org.mitre.oval:def:11526 status accepted submitted 2010-07-10T10:25:06.000-05:00 title Service Console update for COS kernel version 5 accepted 2013-04-29T04:14:50.572-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket. family unix id oval:org.mitre.oval:def:11591 status accepted submitted 2010-07-09T03:56:16-04:00 title The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket. version 27 accepted 2014-01-20T04:01:41.398-05:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard name Chris Coffin organization The MITRE Corporation
definition_extensions comment VMware ESX Server 4.0 is installed oval oval:org.mitre.oval:def:6293 description The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket. family unix id oval:org.mitre.oval:def:8657 status accepted submitted 2010-03-19T16:57:59.000-04:00 title VMware kernel NULL pointer dereference vulnerability version 7
Packetstorm
| data source | https://packetstormsecurity.com/files/download/114856/sock_sendpage.rb.txt |
| id | PACKETSTORM:114856 |
| last seen | 2016-12-05 |
| published | 2012-07-19 |
| reporter | Brad Spengler |
| source | https://packetstormsecurity.com/files/114856/Linux-Kernel-Sendpage-Local-Privilege-Escalation.html |
| title | Linux Kernel Sendpage Local Privilege Escalation |
Redhat
| advisories |
| ||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:66827 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-66827 title Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition) bulletinFamily exploit description No description provided by source. id SSV:66828 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-66828 title Linux Kernel 2.4/2.6 - sock_sendpage() ring0 Root Exploit (Simple Version) bulletinFamily exploit description No description provided by source. id SSV:12103 last seen 2017-11-19 modified 2009-08-25 published 2009-08-25 reporter Root source https://www.seebug.org/vuldb/ssvid-12103 title Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver) bulletinFamily exploit description No description provided by source. id SSV:12073 last seen 2017-11-19 modified 2009-08-19 published 2009-08-19 reporter Root source https://www.seebug.org/vuldb/ssvid-12073 title Linux Kernel 2.x sock_sendpage() Local Root Exploit (Android Edition)
Statements
| contributor | Mark J Cox |
| lastmodified | 2009-09-14 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-18065. Updates for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2692.html |
References
- http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
- http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
- http://www.securityfocus.com/bid/36038
- http://grsecurity.net/~spender/wunderbar_emporium.tgz
- http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
- http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
- http://secunia.com/advisories/36327
- http://www.vupen.com/english/advisories/2009/2272
- http://www.debian.org/security/2009/dsa-1865
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
- http://secunia.com/advisories/36289
- https://issues.rpath.com/browse/RPL-3103
- http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121
- http://zenthought.org/content/file/android-root-2009-08-16-source
- http://secunia.com/advisories/36430
- http://rhn.redhat.com/errata/RHSA-2009-1223.html
- http://rhn.redhat.com/errata/RHSA-2009-1222.html
- https://bugzilla.redhat.com/show_bug.cgi?id=516949
- http://secunia.com/advisories/36278
- http://www.openwall.com/lists/oss-security/2009/08/14/1
- http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
- http://www.redhat.com/support/errata/RHSA-2009-1233.html
- http://support.avaya.com/css/P8/documents/100067254
- http://www.vmware.com/security/advisories/VMSA-2009-0016.html
- http://www.vupen.com/english/advisories/2009/3316
- http://secunia.com/advisories/37471
- http://secunia.com/advisories/37298
- http://www.exploit-db.com/exploits/19933
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526
- http://www.exploit-db.com/exploits/9477
- http://www.securityfocus.com/archive/1/512019/100/0/threaded
- http://www.securityfocus.com/archive/1/507985/100/0/threaded
- http://www.securityfocus.com/archive/1/505912/100/0/threaded
- http://www.securityfocus.com/archive/1/505751/100/0/threaded
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3