Vulnerabilities > CVE-2009-2909 - Numeric Errors vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer signedness error in the ax25_setsockopt function in net/ax25/af_ax25.c in the ax25 subsystem in the Linux kernel before 2.6.31.2 allows local users to cause a denial of service (OOPS) via a crafted optlen value in an SO_BINDTODEVICE operation.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6632.NASL description This update fixes a several security issues and various bugs in the SUSE Linux Enterprise 10 SP 2 kernel. The following security issues were fixed: CVE-2009-3547: A race condition during pipe open could be used by local attackers to elevate privileges. - On x86_64 systems a information leak of high register contents (upper 32bit) was fixed. (CVE-2009-2910) - The randomness of the ASLR methods used in the kernel was increased. (CVE-2009-3238) - A information leak from the kernel due to uninitialized memory in AGP handling was fixed. (CVE-2009-1192) - A signed comparison in the ax25 sockopt handler was fixed which could be used to crash the kernel or potentially execute code. (CVE-2009-2909) - The execve function in the Linux kernel did not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit. (CVE-2009-2848) - Fixed various sockethandler getname leaks, which could disclose memory previously used by the kernel or other userland processes to the local attacker. (CVE-2009-3002) - Multiple buffer overflows in the cifs subsystem in the Linux kernel allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c. (CVE-2009-1633) Also see the RPM changelog for more changes. last seen 2020-06-01 modified 2020-06-02 plugin id 42465 published 2009-11-11 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42465 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6632) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(42465); script_version ("1.22"); script_cvs_date("Date: 2019/10/25 13:36:36"); script_cve_id("CVE-2009-1192", "CVE-2009-1633", "CVE-2009-2848", "CVE-2009-2909", "CVE-2009-2910", "CVE-2009-3002", "CVE-2009-3238", "CVE-2009-3547"); script_name(english:"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6632)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes a several security issues and various bugs in the SUSE Linux Enterprise 10 SP 2 kernel. The following security issues were fixed: CVE-2009-3547: A race condition during pipe open could be used by local attackers to elevate privileges. - On x86_64 systems a information leak of high register contents (upper 32bit) was fixed. (CVE-2009-2910) - The randomness of the ASLR methods used in the kernel was increased. (CVE-2009-3238) - A information leak from the kernel due to uninitialized memory in AGP handling was fixed. (CVE-2009-1192) - A signed comparison in the ax25 sockopt handler was fixed which could be used to crash the kernel or potentially execute code. (CVE-2009-2909) - The execve function in the Linux kernel did not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit. (CVE-2009-2848) - Fixed various sockethandler getname leaks, which could disclose memory previously used by the kernel or other userland processes to the local attacker. (CVE-2009-3002) - Multiple buffer overflows in the cifs subsystem in the Linux kernel allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c. (CVE-2009-1633) Also see the RPM changelog for more changes." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-1192.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-1633.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-2848.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-2909.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-2910.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-3002.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-3238.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-3547.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 6632."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119, 189, 200, 310, 362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:2, cpu:"i586", reference:"kernel-bigsmp-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"i586", reference:"kernel-default-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"i586", reference:"kernel-smp-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"i586", reference:"kernel-source-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"i586", reference:"kernel-syms-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"i586", reference:"kernel-xen-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"i586", reference:"kernel-xenpae-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-bigsmp-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-debug-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-default-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-kdump-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-smp-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-source-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-syms-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-vmi-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-vmipae-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-xen-2.6.16.60-0.42.7")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"i586", reference:"kernel-xenpae-2.6.16.60-0.42.7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");
NASL family Fedora Local Security Checks NASL id FEDORA_2009-11032.NASL description - Tue Nov 3 2009 Kyle McMartin <kyle at redhat.com> 2.6.30.9-96 - fs/pipe.c: fix NULL pointer dereference (CVE-2009-3547) - Sun Oct 25 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-95 - Disable the stack protector on functions that don last seen 2020-06-01 modified 2020-06-02 plugin id 42400 published 2009-11-06 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42400 title Fedora 11 : kernel-2.6.30.9-96.fc11 (2009-11032) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-11032. # include("compat.inc"); if (description) { script_id(42400); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2009-3547", "CVE-2009-3621", "CVE-2009-3624", "CVE-2009-3638"); script_bugtraq_id(36723, 36793, 36803, 36901); script_xref(name:"FEDORA", value:"2009-11032"); script_name(english:"Fedora 11 : kernel-2.6.30.9-96.fc11 (2009-11032)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Tue Nov 3 2009 Kyle McMartin <kyle at redhat.com> 2.6.30.9-96 - fs/pipe.c: fix NULL pointer dereference (CVE-2009-3547) - Sun Oct 25 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-95 - Disable the stack protector on functions that don't have onstack arrays. - Thu Oct 22 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-94 - Fix overflow in KVM cpuid code. (CVE-2009-3638) - Thu Oct 22 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-93 - Fix exploitable oops in keyring code (CVE-2009-3624) - Wed Oct 21 2009 Kyle McMartin <kyle at redhat.com> - shut-up-LOCK_TEST_WITH_RETURN.patch: sort out #445331... or paper bag over it for now until the lock warnings can be killed. - Mon Oct 19 2009 Kyle McMartin <kyle at redhat.com> - af_unix-fix-deadlock-connecting-to-shutdown-socket.pat ch: fix for rhbz#529626 local DoS. (CVE-2009-3621) - Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-90 - Fix null deref in r128 (F10#487546) (CVE-2009-3620) - Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-89 - Keyboard and mouse fixes from 2.6.32 (#522126) - Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-88 - Scheduler wakeup patch, fixes high latency on wakeup (sched-update-the-clock-of-runqueue-select-task-rq-sel ected.patch) - Fri Oct 16 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-87 - Fix uninitialized data leak in netlink (CVE-2009-3612) - Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-86 - AX.25 security fix (CVE-2009-2909) - Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-85 - Disable CONFIG_USB_STORAGE_CYPRESS_ATACB because it causes failure to boot from USB disks using Cypress bridges (#524998) - Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-84 - Copy libata drive detection fix from 2.6.31.4 (#524756) - Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-83 - Networking fixes taken from 2.6.31-stable - Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-82 - Fix boot hang with ACPI on some systems. - Mon Oct 12 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-81 - Critical ftrace fixes: ftrace-use-module-notifier-for-function-tracer.patch ftrace-check-for-failure-for-all-conversions.patch tracing-correct-module-boundaries-for-ftrace_release.p atch - Thu Oct 8 2009 Ben Skeggs <bskeggs at redhat.com> 2.6.30.9-80 - ppc: compile nvidiafb as a module only, nvidiafb+nouveau = bang! (rh#491308) - Wed Oct 7 2009 Dave Jones <davej at redhat.com> 2.6.30.9-78 - Disable IRQSOFF tracer. (Adds unnecessary overhead when unused) - Wed Oct 7 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-77 - eCryptfs fixes taken from 2.6.31.2 (fixes CVE-2009-2908) - Tue Oct 6 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-76 - fix race in forcedeth network driver (#526546) - Tue Oct 6 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-75 - x86: Don't leak 64-bit reg contents to 32-bit tasks. - Tue Oct 6 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-74 [plus 194 lines in the Changelog] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=529626" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=530283" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=530490" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=530515" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-November/030674.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2c4aae2b" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(189, 310, 362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/22"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^11([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 11.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC11", reference:"kernel-2.6.30.9-96.fc11")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2009-10639.NASL description Update to kernel 2.6.30.9. Upstream change logs: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.9 Also fixes : - Kernel stack randomization bug - NULL dereference in r128 driver - ftrace memory corruption on module unload - boot hanging on some systems - some latency problems caused by scheduler bugs Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42271 published 2009-10-28 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42271 title Fedora 11 : kernel-2.6.30.9-90.fc11 (2009-10639) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-10639. # include("compat.inc"); if (description) { script_id(42271); script_version("1.28"); script_cvs_date("Date: 2019/08/02 13:32:28"); script_cve_id("CVE-2009-2903", "CVE-2009-2908", "CVE-2009-2909", "CVE-2009-2910", "CVE-2009-3290", "CVE-2009-3612"); script_bugtraq_id(36379, 36512, 36576, 36635, 36639); script_xref(name:"FEDORA", value:"2009-10639"); script_name(english:"Fedora 11 : kernel-2.6.30.9-90.fc11 (2009-10639)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to kernel 2.6.30.9. Upstream change logs: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.9 Also fixes : - Kernel stack randomization bug - NULL dereference in r128 driver - ftrace memory corruption on module unload - boot hanging on some systems - some latency problems caused by scheduler bugs Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.9 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?856e295c" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=522331" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=524124" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=526788" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=527534" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=528868" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=528887" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-October/030287.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3cb67549" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(189, 200, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^11([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 11.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC11", reference:"kernel-2.6.30.9-90.fc11")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6641.NASL description This update fixes various bugs and some security issues in the SUSE Linux Enterprise 10 SP 3 kernel. The following security issues were fixed: CVE-2009-3238: The get_random_int function in drivers/char/random.c in the Linux kernel produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the functions tendency to return the same value over and over again for long stretches of time. - The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages. (CVE-2009-1192) - Unsigned check in the ax25 socket handler could allow local attackers to potentially crash the kernel or even execute code. (CVE-2009-2909) last seen 2020-06-01 modified 2020-06-02 plugin id 59141 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59141 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6641) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1928.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-2846 Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. - CVE-2009-2847 Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. - CVE-2009-2848 Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). - CVE-2009-2849 Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). - CVE-2009-2903 Mark Smith discovered a memory leak in the appletalk implementation. When the appletalk and ipddp modules are loaded, but no ipddp last seen 2020-06-01 modified 2020-06-02 plugin id 44793 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44793 title Debian DSA-1928-1 : linux-2.6.24 - privilege escalation/denial of service/sensitive memory leak NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1929.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-1883 Solar Designer discovered a missing capability check in the z90crypt driver or s390 systems. This vulnerability may allow a local user to gain elevated privileges. - CVE-2009-2909 Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops). - CVE-2009-3001 Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. - CVE-2009-3002 Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory. - CVE-2009-3228 Eric Dumazet reported an instance of uninitialized kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory. - CVE-2009-3238 Linus Torvalds provided a change to the get_random_int() function to increase its randomness. - CVE-2009-3286 Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. - CVE-2009-3547 Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges. - CVE-2009-3612 Jiri Pirko discovered a typo in the initialization of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory. - CVE-2009-3621 Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service (system hang). last seen 2020-06-01 modified 2020-06-02 plugin id 44794 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44794 title Debian DSA-1929-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-864-1.NASL description It was discovered that the AX.25 network subsystem did not correctly check integer signedness in certain setsockopt calls. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-2909) Jan Beulich discovered that the kernel could leak register contents to 32-bit processes that were switched to 64-bit mode. A local attacker could run a specially crafted binary to read register values from an earlier process, leading to a loss of privacy. (CVE-2009-2910) Dave Jones discovered that the gdth SCSI driver did not correctly validate array indexes in certain ioctl calls. A local attacker could exploit this to crash the system or gain elevated privileges. (CVE-2009-3080) Eric Dumazet and Jiri Pirko discovered that the TC and CLS subsystems would leak kernel memory via uninitialized structure members. A local attacker could exploit this to read several bytes of kernel memory, leading to a loss of privacy. (CVE-2009-3228, CVE-2009-3612) Earl Chew discovered race conditions in pipe handling. A local attacker could exploit anonymous pipes via /proc/*/fd/ and crash the system or gain root privileges. (CVE-2009-3547) Dave Jones and Francois Romieu discovered that the r8169 network driver could be made to leak kernel memory. A remote attacker could send a large number of jumbo frames until the system memory was exhausted, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-3613). Ben Hutchings discovered that the ATI Rage 128 video driver did not correctly validate initialization states. A local attacker could make specially crafted ioctl calls to crash the system or gain root privileges. (CVE-2009-3620) Tomoki Sekiyama discovered that Unix sockets did not correctly verify namespaces. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2009-3621) J. Bruce Fields discovered that NFSv4 did not correctly use the credential cache. A local attacker using a mount with AUTH_NULL authentication could exploit this to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3623) Alexander Zangerl discovered that the kernel keyring did not correctly reference count. A local attacker could issue a series of specially crafted keyring calls to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3624) David Wagner discovered that KVM did not correctly bounds-check CPUID entries. A local attacker could exploit this to crash the system or possibly gain elevated privileges. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3638) Avi Kivity discovered that KVM did not correctly check privileges when accessing debug registers. A local attacker could exploit this to crash a host system from within a guest system, leading to a denial of service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722) Philip Reisner discovered that the connector layer for uvesafb, pohmelfs, dst, and dm did not correctly check capabilties. A local attacker could exploit this to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-3725) Trond Myklebust discovered that NFSv4 clients did not robustly verify attributes. A malicious remote NFSv4 server could exploit this to crash a client or gain root privileges. Ubuntu 9.10 was not affected. (CVE-2009-3726) Robin Getz discovered that NOMMU systems did not correctly validate NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to allocate large amounts of memory to crash the system, leading to a denial of service. Only Ubuntu 6.06 and 9.10 were affected. (CVE-2009-3888) Joseph Malicki discovered that the MegaRAID SAS driver had world-writable option files. A local attacker could exploit these to disrupt the behavior of the controller, leading to a denial of service. (CVE-2009-3889, CVE-2009-3939) Roel Kluin discovered that the Hisax ISDN driver did not correctly check the size of packets. A remote attacker could send specially crafted packets to cause a system crash, leading to a denial of service. (CVE-2009-4005) Lennert Buytenhek discovered that certain 802.11 states were not handled correctly. A physically-proximate remote attacker could send specially crafted wireless traffic that would crash the system, leading to a denial of service. Only Ubuntu 9.10 was affected. (CVE-2009-4026, CVE-2009-4027). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43026 published 2009-12-07 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43026 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-864-1) NASL family SuSE Local Security Checks NASL id SUSE_11_1_KERNEL-091016.NASL description The openSUSE 11.1 Kernel was updated to 2.6.27.37 fixing various bugs and security issues. Following security issues were fixed: CVE-2009-2909: Unsigned check in the ax25 socket handler could allow local attackers to potentially crash the kernel or even execute code. CVE-2009-3002: Fixed various sockethandler getname leaks, which could disclose memory previously used by the kernel or other userland processes to the local attacker. CVE-2009-2910: A information leakage with upper 32bit register values on x86_64 systems was fixed. Various KVM stability and security fixes have also been added. last seen 2020-06-01 modified 2020-06-02 plugin id 42334 published 2009-11-02 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42334 title openSUSE Security Update : kernel (kernel-1415) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6637.NASL description This update fixes various bugs and some security issues in the SUSE Linux Enterprise 10 SP 3 kernel. The following security issues were fixed: CVE-2009-3238: The get_random_int function in drivers/char/random.c in the Linux kernel produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the functions tendency to return the same value over and over again for long stretches of time. - The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages. (CVE-2009-1192) - Unsigned check in the ax25 socket handler could allow local attackers to potentially crash the kernel or even execute code. (CVE-2009-2909) last seen 2020-06-01 modified 2020-06-02 plugin id 49867 published 2010-10-11 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49867 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6637) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-6636.NASL description This update fixes a several security issues and various bugs in the SUSE Linux Enterprise 10 SP 2 kernel. The following security issues were fixed: CVE-2009-3547: A race condition during pipe open could be used by local attackers to elevate privileges. - On x86_64 systems a information leak of high register contents (upper 32bit) was fixed. (CVE-2009-2910) - The randomness of the ASLR methods used in the kernel was increased. (CVE-2009-3238) - A information leak from the kernel due to uninitialized memory in AGP handling was fixed. (CVE-2009-1192) - A signed comparison in the ax25 sockopt handler was fixed which could be used to crash the kernel or potentially execute code. (CVE-2009-2909) - The execve function in the Linux kernel did not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit. (CVE-2009-2848) - Fixed various sockethandler getname leaks, which could disclose memory previously used by the kernel or other userland processes to the local attacker. (CVE-2009-3002) - Multiple buffer overflows in the cifs subsystem in the Linux kernel allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c. (CVE-2009-1633) Also see the RPM changelog for more changes. last seen 2020-06-01 modified 2020-06-02 plugin id 59140 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59140 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6636) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-091015.NASL description The SUSE Linux Enterprise 11 Kernel was updated to 2.6.27.37 fixing various bugs and security issues. The following security issues were fixed : - Unsigned check in the ax25 socket handler could allow local attackers to potentially crash the kernel or even execute code. (CVE-2009-2909) - Fixed various sockethandler getname leaks, which could disclose memory previously used by the kernel or other userland processes to the local attacker. (CVE-2009-3002) - A information leakage with upper 32bit register values on x86_64 systems was fixed. (CVE-2009-2910) Various KVM stability and security fixes have also been added. last seen 2020-06-01 modified 2020-06-02 plugin id 42343 published 2009-11-03 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42343 title SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 1410 / 1412 / 1413) NASL family Fedora Local Security Checks NASL id FEDORA_2009-10525.NASL description Update to kernel 2.6.27.37: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.36 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.37 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42156 published 2009-10-16 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42156 title Fedora 10 : kernel-2.6.27.37-170.2.104.fc10 (2009-10525) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1915.NASL description Notice: Debian 5.0.4, the next point release of Debian last seen 2020-06-01 modified 2020-06-02 plugin id 44780 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44780 title Debian DSA-1915-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak NASL family SuSE Local Security Checks NASL id SUSE9_12541.NASL description This update fixes various security issues and some bugs in the SUSE Linux Enterprise 9 kernel. The following security bugs were fixed : - A race condition in the pipe(2) systemcall could be used by local attackers to execute code. (CVE-2009-3547) - On x86_64 systems a information leak of high register contents (upper 32bit) was fixed. (CVE-2009-2910) - The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages. (CVE-2009-1192) - Unsigned check in the ax25 socket handler could allow local attackers to potentially crash the kernel or even execute code. (CVE-2009-2909) - The execve function in the Linux kernel did not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit. (CVE-2009-2848) - Fixed various sockethandler getname leaks, which could disclose memory previously used by the kernel or other userland processes to the local attacker. (CVE-2009-3002) - Multiple buffer overflows in the cifs subsystem in the Linux kernel allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c. (CVE-2009-1633) - The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state. (CVE-2009-3726) last seen 2020-06-01 modified 2020-06-02 plugin id 42812 published 2009-11-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42812 title SuSE9 Security Update : Linux kernel (YOU Patch Number 12541)
Seebug
bulletinFamily | exploit |
description | CVE ID: CVE-2009-2909 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel ax25子系统的net/ax25/af_ax25.c文件中的ax25_setsockopt函数中存在整数符号错误,本地用户可以在SO_BINDTODEVICE操作中使用特制的optlen值触发栈溢出,导致拒绝服务的情况。 Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=b7058842c940ad2c08dd829b21e5c92ebe3b8758 |
id | SSV:12510 |
last seen | 2017-11-19 |
modified | 2009-10-22 |
published | 2009-10-22 |
reporter | Root |
title | Linux Kernel ax25_setsockopt函数本地拒绝服务漏洞 |
Statements
contributor | Tomas Hoger |
lastmodified | 2009-10-22 |
organization | Red Hat |
statement | This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, or Red Hat Enterprise MRG, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel update in Red Hat Enterprise Linux 3 may address this flaw. |
References
- http://article.gmane.org/gmane.linux.kernel/896907
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.2
- https://bugzilla.redhat.com/show_bug.cgi?id=528887
- http://marc.info/?l=oss-security&m=125494119617994&w=2
- http://secunia.com/advisories/37075
- https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00483.html
- http://www.securityfocus.com/bid/36635
- http://secunia.com/advisories/37351
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00007.html
- http://www.ubuntu.com/usn/usn-864-1
- http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git%3Ba=commit%3Bh=b7058842c940ad2c08dd829b21e5c92ebe3b8758