Vulnerabilities > CVE-2009-4027 - Race Condition vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0380.NASL description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * a race condition was found in the mac80211 implementation, a framework used for writing drivers for wireless devices. An attacker could trigger this flaw by sending a Delete Block ACK (DELBA) packet to a target system, resulting in a remote denial of service. Note: This issue only affected users on 802.11n networks, and that also use the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important) * a use-after-free flaw was found in the tcp_rcv_state_process() function in the Linux kernel TCP/IP protocol suite implementation. If a system using IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote attacker could send an IPv6 packet to that system, causing a kernel panic (denial of service). (CVE-2010-1188, Important) * a flaw was found in the gfs2_lock() implementation. The GFS2 locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS2 file system mounted could use this flaw to cause a kernel panic (denial of service). (CVE-2010-0727, Moderate) * a divide-by-zero flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by mounting a specially crafted ext4 file system. (CVE-2009-4307, Low) Bug fixes : * if a program that calls posix_fadvise() were compiled on x86, and then run on a 64-bit system, that program could experience various problems, including performance issues and the call to posix_fadvise() failing, causing the program to not run as expected or even abort. With this update, when such programs attempt to call posix_fadvise() on 64-bit systems, sys32_fadvise64() is called instead, which resolves this issue. This update also fixes other 32-bit system calls that were mistakenly called on 64-bit systems (including systems running the kernel-xen kernel). (BZ#569597) * on some systems able to set a P-State limit via the BIOS, it was not possible to set the limit to a higher frequency if the system was rebooted while a low limit was set: last seen 2020-06-01 modified 2020-06-02 plugin id 63932 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63932 title RHEL 5 : kernel (RHSA-2010:0380) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0380. The text # itself is copyright (C) Red Hat, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(63932); script_version("1.17"); script_cvs_date("Date: 2019/10/25 13:36:15"); script_cve_id("CVE-2009-4027", "CVE-2009-4307", "CVE-2010-0727", "CVE-2010-1188"); script_bugtraq_id(37170, 39016, 39101); script_xref(name:"RHSA", value:"2010:0380"); script_name(english:"RHEL 5 : kernel (RHSA-2010:0380)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * a race condition was found in the mac80211 implementation, a framework used for writing drivers for wireless devices. An attacker could trigger this flaw by sending a Delete Block ACK (DELBA) packet to a target system, resulting in a remote denial of service. Note: This issue only affected users on 802.11n networks, and that also use the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important) * a use-after-free flaw was found in the tcp_rcv_state_process() function in the Linux kernel TCP/IP protocol suite implementation. If a system using IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote attacker could send an IPv6 packet to that system, causing a kernel panic (denial of service). (CVE-2010-1188, Important) * a flaw was found in the gfs2_lock() implementation. The GFS2 locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS2 file system mounted could use this flaw to cause a kernel panic (denial of service). (CVE-2010-0727, Moderate) * a divide-by-zero flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by mounting a specially crafted ext4 file system. (CVE-2009-4307, Low) Bug fixes : * if a program that calls posix_fadvise() were compiled on x86, and then run on a 64-bit system, that program could experience various problems, including performance issues and the call to posix_fadvise() failing, causing the program to not run as expected or even abort. With this update, when such programs attempt to call posix_fadvise() on 64-bit systems, sys32_fadvise64() is called instead, which resolves this issue. This update also fixes other 32-bit system calls that were mistakenly called on 64-bit systems (including systems running the kernel-xen kernel). (BZ#569597) * on some systems able to set a P-State limit via the BIOS, it was not possible to set the limit to a higher frequency if the system was rebooted while a low limit was set: '/sys/devices/system/cpu/cpu[x]/cpufreq/scaling_max_freq' would retain the low limit in these situations. With this update, limits are correctly set, even after being changed after a system reboot. (BZ#569727) * certain Intel ICH hardware (using the e1000e driver) has an NFS filtering capability that did not work as expected, causing memory corruption, which could lead to kernel panics, or other unexpected behavior. In a reported case, a panic occurred when running NFS connection tests. This update resolves this issue by disabling the filtering capability. (BZ#569797) * if 'open(/proc/[PID]/[xxxx])' was called at the same time the process was exiting, the call would fail with an EINVAL error (an incorrect error for this situation). With this update, the correct error, ENOENT, is returned in this situation. (BZ#571362) * multiqueue is used for transmitting data, but a single queue transmit ON/OFF scheme was used. This led to a race condition on systems with the bnx2x driver in situations where one queue became full, but not stopped, and the other queue enabled transmission. With this update, only a single queue is used. (BZ#576951) * the '/proc/sys/vm/mmap_min_addr' tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The sysctl value for mmap_min_addr could be changed by a process or user that has an effective user ID (euid) of 0, even if the process or user does not have the CAP_SYS_RAWIO capability. This update adds a capability check for the CAP_SYS_RAWIO capability before allowing the mmap_min_addr value to be changed. (BZ#577206) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2009-4027.html" ); script_set_attribute( attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2009-4307.html" ); script_set_attribute( attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2010-0727.html" ); script_set_attribute( attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2010-1188.html" ); script_set_attribute( attribute:"see_also", value:"http://rhn.redhat.com/errata/RHSA-2010-0380.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189, 362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.4"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); flag = 0; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"kernel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"kernel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-PAE-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-PAE-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-debug-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"kernel-debug-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"kernel-debug-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-debug-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"kernel-debug-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"kernel-debug-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"kernel-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"kernel-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", reference:"kernel-doc-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i386", reference:"kernel-headers-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"kernel-headers-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"kernel-headers-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"kernel-kdump-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"kernel-kdump-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-xen-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"kernel-xen-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"i686", reference:"kernel-xen-devel-2.6.18-164.17.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"kernel-xen-devel-2.6.18-164.17.1.el5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1996.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-3939 Joseph Malicki reported that the dbg_lvl sysfs attribute for the megaraid_sas device driver had world-writable permissions, permitting local users to modify logging settings. - CVE-2009-4027 Lennert Buytenhek reported a race in the mac80211 subsystem that may allow remote users to cause a denial of service (system crash) on a system connected to the same wireless network. - CVE-2009-4536 CVE-2009-4538 Fabian Yamaguchi reported issues in the e1000 and e1000e drivers for Intel gigabit network adapters which allow remote users to bypass packet filters using specially crafted ethernet frames. - CVE-2010-0003 Andi Kleen reported a defect which allows local users to gain read access to memory reachable by the kernel when the print-fatal-signals option is enabled. This option is disabled by default. - CVE-2010-0007 Florian Westphal reported a lack of capability checking in the ebtables netfilter subsystem. If the ebtables module is loaded, local users can add and modify ebtables rules. - CVE-2010-0291 Al Viro reported several issues with the mmap/mremap system calls that allow local users to cause a denial of service (system panic) or obtain elevated privileges. - CVE-2010-0298 & CVE-2010-0306 Gleb Natapov discovered issues in the KVM subsystem where missing permission checks (CPL/IOPL) permit a user in a guest system to denial of service a guest (system crash) or gain escalated privileges with the guest. - CVE-2010-0307 Mathias Krause reported an issue with the load_elf_binary code on the amd64 flavor kernels that allows local users to cause a denial of service (system crash). - CVE-2010-0309 Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service (crash) of the host system. - CVE-2010-0410 Sebastian Krahmer discovered an issue in the netlink connector subsystem that permits local users to allocate large amounts of system memory resulting in a denial of service (out of memory). - CVE-2010-0415 Ramon de Carvalho Valle discovered an issue in the sys_move_pages interface, limited to amd64, ia64 and powerpc64 flavors in Debian. Local users can exploit this issue to cause a denial of service (system crash) or gain access to sensitive kernel memory. last seen 2020-06-01 modified 2020-06-02 plugin id 44860 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44860 title Debian DSA-1996-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1996. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44860); script_version("1.28"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-3939", "CVE-2009-4027", "CVE-2009-4536", "CVE-2009-4538", "CVE-2010-0003", "CVE-2010-0007", "CVE-2010-0291", "CVE-2010-0298", "CVE-2010-0306", "CVE-2010-0307", "CVE-2010-0309", "CVE-2010-0410", "CVE-2010-0415"); script_bugtraq_id(37019, 37170, 37519, 37523, 37724, 37762, 37906, 38027, 38058, 38144); script_xref(name:"DSA", value:"1996"); script_name(english:"Debian DSA-1996-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-3939 Joseph Malicki reported that the dbg_lvl sysfs attribute for the megaraid_sas device driver had world-writable permissions, permitting local users to modify logging settings. - CVE-2009-4027 Lennert Buytenhek reported a race in the mac80211 subsystem that may allow remote users to cause a denial of service (system crash) on a system connected to the same wireless network. - CVE-2009-4536 CVE-2009-4538 Fabian Yamaguchi reported issues in the e1000 and e1000e drivers for Intel gigabit network adapters which allow remote users to bypass packet filters using specially crafted ethernet frames. - CVE-2010-0003 Andi Kleen reported a defect which allows local users to gain read access to memory reachable by the kernel when the print-fatal-signals option is enabled. This option is disabled by default. - CVE-2010-0007 Florian Westphal reported a lack of capability checking in the ebtables netfilter subsystem. If the ebtables module is loaded, local users can add and modify ebtables rules. - CVE-2010-0291 Al Viro reported several issues with the mmap/mremap system calls that allow local users to cause a denial of service (system panic) or obtain elevated privileges. - CVE-2010-0298 & CVE-2010-0306 Gleb Natapov discovered issues in the KVM subsystem where missing permission checks (CPL/IOPL) permit a user in a guest system to denial of service a guest (system crash) or gain escalated privileges with the guest. - CVE-2010-0307 Mathias Krause reported an issue with the load_elf_binary code on the amd64 flavor kernels that allows local users to cause a denial of service (system crash). - CVE-2010-0309 Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service (crash) of the host system. - CVE-2010-0410 Sebastian Krahmer discovered an issue in the netlink connector subsystem that permits local users to allocate large amounts of system memory resulting in a denial of service (out of memory). - CVE-2010-0415 Ramon de Carvalho Valle discovered an issue in the sys_move_pages interface, limited to amd64, ia64 and powerpc64 flavors in Debian. Local users can exploit this issue to cause a denial of service (system crash) or gain access to sensitive kernel memory." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-3939" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-4027" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-4536" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-4538" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0003" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0007" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0291" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0298" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0306" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0307" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0309" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0410" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0415" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2010/dsa-1996" ); script_set_attribute( attribute:"solution", value: "Upgrade the linux-2.6 and user-mode-linux packages. For the stable distribution (lenny), this problem has been fixed in version 2.6.26-21lenny3. For the oldstable distribution (etch), these problems, where applicable, will be fixed in updates to linux-2.6 and linux-2.6.24. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or 'leap-frog' fashion. The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update : stable/lenny user-mode-linux 2.6.26-1um-2+21lenny3" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(16, 189, 200, 264, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-2.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/16"); script_set_attribute(attribute:"patch_publication_date", value:"2010/02/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"linux-doc-2.6.26", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-486", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-4kc-malta", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-5kc-malta", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-686", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-686-bigmem", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-alpha", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-arm", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-armel", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-hppa", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-i386", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-ia64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-mips", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-mipsel", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-powerpc", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-s390", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-sparc", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-alpha-generic", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-alpha-legacy", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-alpha-smp", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common-openvz", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common-vserver", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common-xen", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-footbridge", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-iop32x", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-itanium", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-ixp4xx", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-mckinley", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-openvz-686", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-openvz-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-orion5x", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc-smp", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc64", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc64-smp", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-powerpc", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-powerpc-smp", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-powerpc64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-r4k-ip22", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-r5k-cobalt", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-r5k-ip32", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-s390", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-s390x", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sb1-bcm91250a", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sb1a-bcm91480b", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sparc64", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sparc64-smp", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-versatile", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-686", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-686-bigmem", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-itanium", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-mckinley", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-powerpc", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-powerpc64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-s390x", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-sparc64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-xen-686", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-xen-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-486", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-4kc-malta", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-5kc-malta", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-686", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-686-bigmem", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-alpha-generic", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-alpha-legacy", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-alpha-smp", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-footbridge", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-iop32x", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-itanium", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-ixp4xx", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-mckinley", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-openvz-686", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-openvz-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-orion5x", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc-smp", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc64-smp", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-powerpc", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-powerpc-smp", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-powerpc64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-r4k-ip22", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-r5k-cobalt", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-r5k-ip32", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-s390", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-s390-tape", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-s390x", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sb1-bcm91250a", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sb1a-bcm91480b", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sparc64", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sparc64-smp", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-versatile", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-686", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-686-bigmem", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-itanium", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-mckinley", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-powerpc", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-powerpc64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-s390x", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-sparc64", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-xen-686", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-xen-amd64", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-libc-dev", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-manual-2.6.26", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-modules-2.6.26-2-xen-686", reference:"2.6.26-21lenny2")) flag++; if (deb_check(release:"5.0", prefix:"linux-modules-2.6.26-2-xen-amd64", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-patch-debian-2.6.26", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-source-2.6.26", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"linux-support-2.6.26-2", reference:"2.6.26-21lenny3")) flag++; if (deb_check(release:"5.0", prefix:"linux-tree-2.6.26", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"xen-linux-system-2.6.26-2-xen-686", reference:"2.6.26-21lenny1")) flag++; if (deb_check(release:"5.0", prefix:"xen-linux-system-2.6.26-2-xen-amd64", reference:"2.6.26-21lenny2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_2_KERNEL-091218.NASL description The Linux kernel for openSUSE 11.2 was updated to 2.6.31.8 to fix the following bugs and security issues : - A file overwrite issue on the ext4 filesystem could be used by local attackers that have write access to a filesystem to change/overwrite files of other users, including root. (CVE-2009-4131) - A remote denial of service by sending overly long packets could be used by remote attackers to crash a machine. (CVE-2009-1298) - The mac80211 subsystem in the Linux kernel allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous last seen 2020-06-01 modified 2020-06-02 plugin id 43631 published 2010-01-05 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43631 title SuSE 11.2 Security Update: kernel (2009-12-18) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Updates. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(43631); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:35"); script_cve_id( "CVE-2009-1298", "CVE-2009-3080", "CVE-2009-3547", "CVE-2009-3621", "CVE-2009-3624", "CVE-2009-3939", "CVE-2009-4005", "CVE-2009-4021", "CVE-2009-4026", "CVE-2009-4027", "CVE-2009-4131", "CVE-2009-4138", "CVE-2009-4306", "CVE-2009-4307", "CVE-2009-4308" ); script_bugtraq_id( 36723, 36793, 36901, 37019, 37036, 37068, 37069, 37170, 37231, 37277, 37339 ); script_name(english:"SuSE 11.2 Security Update: kernel (2009-12-18)"); script_summary(english:"Check for the kernel package."); script_set_attribute(attribute:"synopsis", value:"The remote openSUSE host is missing a security update."); script_set_attribute(attribute:"description", value: "The Linux kernel for openSUSE 11.2 was updated to 2.6.31.8 to fix the following bugs and security issues : - A file overwrite issue on the ext4 filesystem could be used by local attackers that have write access to a filesystem to change/overwrite files of other users, including root. (CVE-2009-4131) - A remote denial of service by sending overly long packets could be used by remote attackers to crash a machine. (CVE-2009-1298) - The mac80211 subsystem in the Linux kernel allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous 'code shuffling patch.' (CVE-2009-4026) - Race condition in the mac80211 subsystem in the Linux kernel allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session. (CVE-2009-4027) - The poll_mode_io file for the megaraid_sas driver in the Linux kernel has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file. (CVE-2009-3939) - The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. This requires the attacker to access the machine on ISDN protocol level. (CVE-2009-4005) - Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080) - The get_instantiation_keyring function in security/keys/keyctl.c in the KEYS subsystem in the Linux kernel does not properly maintain the reference count of a keyring, which allows local users to gain privileges or cause a denial of service (OOPS) via vectors involving calls to this function without specifying a keyring by ID, as demonstrated by a series of keyctl request2 and keyctl list commands. (CVE-2009-3624) - The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack. (CVE-2009-4021) - Multiple race conditions in fs/pipe.c in the Linux kernel allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname. As openSUSE 11.2 by default sets mmap_min_addr protection, this issue will just Oops the kernel and not be able to execute code. (CVE-2009-3547) - net/unix/af_unix.c in the Linux kernel allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. (CVE-2009-3621) - drivers/firewire/ohci.c in the Linux kernel when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field. (CVE-2009-4138) - The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308) - The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). (CVE-2009-4307) - Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel allows local users to cause a denial of service (filesystem corruption) via unknown vectors, a different vulnerability than CVE-2009-4131. (CVE-2009-4306) - The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions. This can lead to privilege escalations. (CVE-2009-4131) - The rt2870 and rt2860 drivers were refreshed to the level they are in the Linux 2.6.32 kernel, bringing new device support and new functionality."); # http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00000.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9d661785"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=472410"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=498708"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=522790"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=523487"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=533555"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=533677"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=537081"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=539010"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=540589"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=540997"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=543407"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=543704"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=544779"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=546491"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=547357"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=548010"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=548728"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=549030"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=550787"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=551664"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=552033"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=552154"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=552492"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=556564"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=556568"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=556899"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=557180"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=557403"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=557668"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=557683"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=557760"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=558267"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=559062"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=559132"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=559680"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=560697"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=561018"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=561235"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=564712"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=559680"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=541736"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=561018"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=564382"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=564381"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=564380"); script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=561018"); script_set_attribute(attribute:"solution", value:"Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119, 189, 264, 310, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-desktop"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-base-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-devel-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-base-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-devel-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-base-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-devel-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-base-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-devel-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-syms-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-base-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-devel-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-base-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-devel-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-base-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-devel-2.6.31.8-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-default-1.1_2.6.31.8_0.1-6.9.3") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-desktop-1.1_2.6.31.8_0.1-6.9.3") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-debug / kernel-debug-base / kernel-debug-devel / etc"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0178.NASL description Updated kernel packages that fix three security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the fifth regular update. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * a race condition was found in the mac80211 implementation, a framework used for writing drivers for wireless devices. An attacker could trigger this flaw by sending a Delete Block ACK (DELBA) packet to a target system, resulting in a remote denial of service. Note: This issue only affected users on 802.11n networks, and that also use the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important) * a flaw was found in the gfs2_lock() implementation. The GFS2 locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS2 file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727, Moderate) * a divide-by-zero flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by mounting a specially crafted ext4 file system. (CVE-2009-4307, Low) These updated packages also include several hundred bug fixes for and enhancements to the Linux kernel. Space precludes documenting each of these changes in this advisory and users are directed to the Red Hat Enterprise Linux 5.5 Release Notes for information on the most significant of these changes : http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/ Release_Notes/ Also, for details concerning every bug fixed in and every enhancement added to the kernel for this release, refer to the kernel chapter in the Red Hat Enterprise Linux 5.5 Technical Notes : http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/ Technical_Notes/kernel.html All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which address these vulnerabilities as well as fixing the bugs and adding the enhancements noted in the Red Hat Enterprise Linux 5.5 Release Notes and Technical Notes. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 46282 published 2010-05-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46282 title RHEL 5 : kernel (RHSA-2010:0178) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0178. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(46282); script_version ("1.33"); script_cvs_date("Date: 2019/10/25 13:36:15"); script_cve_id("CVE-2007-6733", "CVE-2009-4026", "CVE-2009-4027", "CVE-2009-4307", "CVE-2010-0727", "CVE-2010-1188"); script_bugtraq_id(37170); script_xref(name:"RHSA", value:"2010:0178"); script_name(english:"RHEL 5 : kernel (RHSA-2010:0178)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix three security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the fifth regular update. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * a race condition was found in the mac80211 implementation, a framework used for writing drivers for wireless devices. An attacker could trigger this flaw by sending a Delete Block ACK (DELBA) packet to a target system, resulting in a remote denial of service. Note: This issue only affected users on 802.11n networks, and that also use the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important) * a flaw was found in the gfs2_lock() implementation. The GFS2 locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS2 file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727, Moderate) * a divide-by-zero flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by mounting a specially crafted ext4 file system. (CVE-2009-4307, Low) These updated packages also include several hundred bug fixes for and enhancements to the Linux kernel. Space precludes documenting each of these changes in this advisory and users are directed to the Red Hat Enterprise Linux 5.5 Release Notes for information on the most significant of these changes : http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/ Release_Notes/ Also, for details concerning every bug fixed in and every enhancement added to the kernel for this release, refer to the kernel chapter in the Red Hat Enterprise Linux 5.5 Technical Notes : http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/ Technical_Notes/kernel.html All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which address these vulnerabilities as well as fixing the bugs and adding the enhancements noted in the Red Hat Enterprise Linux 5.5 Release Notes and Technical Notes. The system must be rebooted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-4027" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-4307" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-0727" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-1188" ); # http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/ script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2010:0178" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189, 362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/02"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/05/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2007-6733", "CVE-2009-4026", "CVE-2009-4027", "CVE-2009-4307", "CVE-2010-0727", "CVE-2010-1188"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2010:0178"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2010:0178"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-PAE-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-PAE-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-debug-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-debug-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-debug-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-debug-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-debug-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-debug-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"kernel-doc-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"kernel-headers-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-headers-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-headers-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-kdump-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-kdump-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-xen-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-xen-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-xen-devel-2.6.18-194.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-xen-devel-2.6.18-194.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc"); } }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-864-1.NASL description It was discovered that the AX.25 network subsystem did not correctly check integer signedness in certain setsockopt calls. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-2909) Jan Beulich discovered that the kernel could leak register contents to 32-bit processes that were switched to 64-bit mode. A local attacker could run a specially crafted binary to read register values from an earlier process, leading to a loss of privacy. (CVE-2009-2910) Dave Jones discovered that the gdth SCSI driver did not correctly validate array indexes in certain ioctl calls. A local attacker could exploit this to crash the system or gain elevated privileges. (CVE-2009-3080) Eric Dumazet and Jiri Pirko discovered that the TC and CLS subsystems would leak kernel memory via uninitialized structure members. A local attacker could exploit this to read several bytes of kernel memory, leading to a loss of privacy. (CVE-2009-3228, CVE-2009-3612) Earl Chew discovered race conditions in pipe handling. A local attacker could exploit anonymous pipes via /proc/*/fd/ and crash the system or gain root privileges. (CVE-2009-3547) Dave Jones and Francois Romieu discovered that the r8169 network driver could be made to leak kernel memory. A remote attacker could send a large number of jumbo frames until the system memory was exhausted, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-3613). Ben Hutchings discovered that the ATI Rage 128 video driver did not correctly validate initialization states. A local attacker could make specially crafted ioctl calls to crash the system or gain root privileges. (CVE-2009-3620) Tomoki Sekiyama discovered that Unix sockets did not correctly verify namespaces. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2009-3621) J. Bruce Fields discovered that NFSv4 did not correctly use the credential cache. A local attacker using a mount with AUTH_NULL authentication could exploit this to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3623) Alexander Zangerl discovered that the kernel keyring did not correctly reference count. A local attacker could issue a series of specially crafted keyring calls to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3624) David Wagner discovered that KVM did not correctly bounds-check CPUID entries. A local attacker could exploit this to crash the system or possibly gain elevated privileges. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3638) Avi Kivity discovered that KVM did not correctly check privileges when accessing debug registers. A local attacker could exploit this to crash a host system from within a guest system, leading to a denial of service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722) Philip Reisner discovered that the connector layer for uvesafb, pohmelfs, dst, and dm did not correctly check capabilties. A local attacker could exploit this to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-3725) Trond Myklebust discovered that NFSv4 clients did not robustly verify attributes. A malicious remote NFSv4 server could exploit this to crash a client or gain root privileges. Ubuntu 9.10 was not affected. (CVE-2009-3726) Robin Getz discovered that NOMMU systems did not correctly validate NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to allocate large amounts of memory to crash the system, leading to a denial of service. Only Ubuntu 6.06 and 9.10 were affected. (CVE-2009-3888) Joseph Malicki discovered that the MegaRAID SAS driver had world-writable option files. A local attacker could exploit these to disrupt the behavior of the controller, leading to a denial of service. (CVE-2009-3889, CVE-2009-3939) Roel Kluin discovered that the Hisax ISDN driver did not correctly check the size of packets. A remote attacker could send specially crafted packets to cause a system crash, leading to a denial of service. (CVE-2009-4005) Lennert Buytenhek discovered that certain 802.11 states were not handled correctly. A physically-proximate remote attacker could send specially crafted wireless traffic that would crash the system, leading to a denial of service. Only Ubuntu 9.10 was affected. (CVE-2009-4026, CVE-2009-4027). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43026 published 2009-12-07 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43026 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-864-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-864-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(43026); script_version("1.33"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2009-2909", "CVE-2009-2910", "CVE-2009-3080", "CVE-2009-3228", "CVE-2009-3547", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3623", "CVE-2009-3624", "CVE-2009-3638", "CVE-2009-3722", "CVE-2009-3725", "CVE-2009-3726", "CVE-2009-3888", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4005", "CVE-2009-4026", "CVE-2009-4027"); script_bugtraq_id(36304, 36576, 36635, 36706, 36723, 36793, 36803, 36824, 36827, 36901, 36936, 37019, 37036, 37068, 37170, 37221); script_xref(name:"USN", value:"864-1"); script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-864-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that the AX.25 network subsystem did not correctly check integer signedness in certain setsockopt calls. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-2909) Jan Beulich discovered that the kernel could leak register contents to 32-bit processes that were switched to 64-bit mode. A local attacker could run a specially crafted binary to read register values from an earlier process, leading to a loss of privacy. (CVE-2009-2910) Dave Jones discovered that the gdth SCSI driver did not correctly validate array indexes in certain ioctl calls. A local attacker could exploit this to crash the system or gain elevated privileges. (CVE-2009-3080) Eric Dumazet and Jiri Pirko discovered that the TC and CLS subsystems would leak kernel memory via uninitialized structure members. A local attacker could exploit this to read several bytes of kernel memory, leading to a loss of privacy. (CVE-2009-3228, CVE-2009-3612) Earl Chew discovered race conditions in pipe handling. A local attacker could exploit anonymous pipes via /proc/*/fd/ and crash the system or gain root privileges. (CVE-2009-3547) Dave Jones and Francois Romieu discovered that the r8169 network driver could be made to leak kernel memory. A remote attacker could send a large number of jumbo frames until the system memory was exhausted, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-3613). Ben Hutchings discovered that the ATI Rage 128 video driver did not correctly validate initialization states. A local attacker could make specially crafted ioctl calls to crash the system or gain root privileges. (CVE-2009-3620) Tomoki Sekiyama discovered that Unix sockets did not correctly verify namespaces. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2009-3621) J. Bruce Fields discovered that NFSv4 did not correctly use the credential cache. A local attacker using a mount with AUTH_NULL authentication could exploit this to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3623) Alexander Zangerl discovered that the kernel keyring did not correctly reference count. A local attacker could issue a series of specially crafted keyring calls to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3624) David Wagner discovered that KVM did not correctly bounds-check CPUID entries. A local attacker could exploit this to crash the system or possibly gain elevated privileges. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3638) Avi Kivity discovered that KVM did not correctly check privileges when accessing debug registers. A local attacker could exploit this to crash a host system from within a guest system, leading to a denial of service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722) Philip Reisner discovered that the connector layer for uvesafb, pohmelfs, dst, and dm did not correctly check capabilties. A local attacker could exploit this to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-3725) Trond Myklebust discovered that NFSv4 clients did not robustly verify attributes. A malicious remote NFSv4 server could exploit this to crash a client or gain root privileges. Ubuntu 9.10 was not affected. (CVE-2009-3726) Robin Getz discovered that NOMMU systems did not correctly validate NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to allocate large amounts of memory to crash the system, leading to a denial of service. Only Ubuntu 6.06 and 9.10 were affected. (CVE-2009-3888) Joseph Malicki discovered that the MegaRAID SAS driver had world-writable option files. A local attacker could exploit these to disrupt the behavior of the controller, leading to a denial of service. (CVE-2009-3889, CVE-2009-3939) Roel Kluin discovered that the Hisax ISDN driver did not correctly check the size of packets. A remote attacker could send specially crafted packets to cause a system crash, leading to a denial of service. (CVE-2009-4005) Lennert Buytenhek discovered that certain 802.11 states were not handled correctly. A physically-proximate remote attacker could send specially crafted wireless traffic that would crash the system, leading to a denial of service. Only Ubuntu 9.10 was affected. (CVE-2009-4026, CVE-2009-4027). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/864-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 119, 189, 200, 264, 287, 310, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.15"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.24"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.27"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.28"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-xeon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-openvz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-xeon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-openvz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-virtual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.15"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.24"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.27"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.28"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.31"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/19"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|8\.04|8\.10|9\.04|9\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 8.10 / 9.04 / 9.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2009-2909", "CVE-2009-2910", "CVE-2009-3080", "CVE-2009-3228", "CVE-2009-3547", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3623", "CVE-2009-3624", "CVE-2009-3638", "CVE-2009-3722", "CVE-2009-3725", "CVE-2009-3726", "CVE-2009-3888", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4005", "CVE-2009-4026", "CVE-2009-4027"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-864-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"linux-doc-2.6.15", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-386", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-686", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-generic", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-k8", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-server", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-xeon", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-server", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-386", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-686", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-generic", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-k8", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-server", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-xeon", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-server", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-kernel-devel", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"linux-source-2.6.15", pkgver:"2.6.15-55.81")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-doc-2.6.24", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26-386", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26-generic", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26-openvz", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26-rt", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26-server", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26-virtual", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-26-xen", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-386", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-generic", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-lpia", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-lpiacompat", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-openvz", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-rt", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-server", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-virtual", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-26-xen", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-26-386", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-26-generic", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-26-server", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-26-virtual", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-kernel-devel", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-libc-dev", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"linux-source-2.6.24", pkgver:"2.6.24-26.64")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-doc-2.6.27", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-headers-2.6.27-16", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-headers-2.6.27-16-generic", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-headers-2.6.27-16-server", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-image-2.6.27-16-generic", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-image-2.6.27-16-server", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-image-2.6.27-16-virtual", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-libc-dev", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"linux-source-2.6.27", pkgver:"2.6.27-16.44")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-doc-2.6.28", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-headers-2.6.28-17", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-headers-2.6.28-17-generic", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-headers-2.6.28-17-server", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-17-generic", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-17-lpia", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-17-server", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-17-versatile", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-17-virtual", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-libc-dev", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"linux-source-2.6.28", pkgver:"2.6.28-17.58")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-doc", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-16", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-16-386", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-16-generic", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-16-generic-pae", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-16-server", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-16-386", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-16-generic", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-16-generic-pae", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-16-lpia", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-16-server", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-16-virtual", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-libc-dev", pkgver:"2.6.31-16.52")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"linux-source-2.6.31", pkgver:"2.6.31-16.52")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc / linux-doc-2.6.15 / linux-doc-2.6.24 / linux-doc-2.6.27 / etc"); }
Oval
| accepted | 2013-04-29T04:14:49.245-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:11583 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 37170 CVE(CAN) ID: CVE-2009-4026,CVE-2009-4027 Linux Kernel是开放源码操作系统Linux所使用的内核。 远程攻击者可以通过向Linux Kernel的mac80211子系统发送特制Delete Block ACK(DELBA)报文触发竞争条件等错误,导致拒绝服务的情况。 Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=827d42c9ac91ddd728e4f4a31fefb906ef2ceff7 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4253119acf412fd686ef4bd8749b5a4d70ea3a51 |
| id | SSV:15026 |
| last seen | 2017-11-19 |
| modified | 2009-12-04 |
| published | 2009-12-04 |
| reporter | Root |
| title | Linux Kernel net/mac80211/子系统远程拒绝服务漏洞 |
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-12-03 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4027. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as they do not have support for the mac80211 framework. It did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG as they do not include the upstream patch that introduced this vulnerability. A future update will address this flaw in Red Hat Enterprise Linux 5. |
References
- http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.32-rc8-next-20091201.gz
- https://bugzilla.redhat.com/show_bug.cgi?id=541149
- http://www.securityfocus.com/bid/37170
- http://secunia.com/advisories/38017
- http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00000.html
- http://www.debian.org/security/2010/dsa-1996
- http://secunia.com/advisories/38492
- http://www.ubuntu.com/usn/usn-864-1
- http://www.redhat.com/support/errata/RHSA-2010-0380.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11583
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=827d42c9ac91ddd728e4f4a31fefb906ef2ceff7