Vulnerabilities > CVE-2010-3081 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description | Linux Kernel 2.6.27+ x86_64 compat exploit. CVE-2010-3081. Local exploit for linux platform |
id | EDB-ID:15024 |
last seen | 2016-02-01 |
modified | 2010-09-16 |
published | 2010-09-16 |
reporter | Ac1dB1tCh3z |
source | https://www.exploit-db.com/download/15024/ |
title | Linux Kernel 2.6.27 < 2.6.36 - x86_64 compat Local Root Exploit |
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20101110_KERNEL_ON_SL6_X.NASL description This update fixes the following security issues : - Missing sanity checks in the Intel i915 driver in the Linux kernel could allow a local, unprivileged user to escalate their privileges. (CVE-2010-2962, Important) - compat_alloc_user_space() in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) - A buffer overflow flaw in niu_get_ethtool_tcam_all() in the niu Ethernet driver in the Linux kernel, could allow a local user to cause a denial of service or escalate their privileges. (CVE-2010-3084, Important) - A flaw in the IA32 system call emulation provided in 64-bit Linux kernels could allow a local user to escalate their privileges. (CVE-2010-3301, Important) - A flaw in sctp_packet_config() in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 60893 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60893 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60893); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:19"); script_cve_id("CVE-2010-2803", "CVE-2010-2955", "CVE-2010-2962", "CVE-2010-3079", "CVE-2010-3081", "CVE-2010-3084", "CVE-2010-3301", "CVE-2010-3432", "CVE-2010-3437", "CVE-2010-3442", "CVE-2010-3698", "CVE-2010-3705", "CVE-2010-3904"); script_name(english:"Scientific Linux Security Update : kernel on SL6.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update fixes the following security issues : - Missing sanity checks in the Intel i915 driver in the Linux kernel could allow a local, unprivileged user to escalate their privileges. (CVE-2010-2962, Important) - compat_alloc_user_space() in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) - A buffer overflow flaw in niu_get_ethtool_tcam_all() in the niu Ethernet driver in the Linux kernel, could allow a local user to cause a denial of service or escalate their privileges. (CVE-2010-3084, Important) - A flaw in the IA32 system call emulation provided in 64-bit Linux kernels could allow a local user to escalate their privileges. (CVE-2010-3301, Important) - A flaw in sctp_packet_config() in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service. (CVE-2010-3432, Important) - A missing integer overflow check in snd_ctl_new() in the Linux kernel's sound subsystem could allow a local, unprivileged user on a 32-bit system to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important) - A flaw was found in sctp_auth_asoc_get_hmac() in the Linux kernel's SCTP implementation. When iterating through the hmac_ids array, it did not reset the last id element if it was out of range. This could allow a remote attacker to cause a denial of service. (CVE-2010-3705, Important) - A function in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was missing sanity checks, which could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3904, Important) - A flaw in drm_ioctl() in the Linux kernel's Direct Rendering Manager (DRM) implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-2803, Moderate) - It was found that wireless drivers might not always clear allocated buffers when handling a driver-specific IOCTL information request. A local user could trigger this flaw to cause an information leak. (CVE-2010-2955, Moderate) - A NULL pointer dereference flaw in ftrace_regex_lseek() in the Linux kernel's ftrace implementation could allow a local, unprivileged user to cause a denial of service. Note: The debugfs file system must be mounted locally to exploit this issue. It is not mounted by default. (CVE-2010-3079, Moderate) - A flaw in the Linux kernel's packet writing driver could be triggered via the PKT_CTRL_CMD_STATUS IOCTL request, possibly allowing a local, unprivileged user with access to '/dev/pktcdvd/control' to cause an information leak. Note: By default, only users in the cdrom group have access to '/dev/pktcdvd/control'. (CVE-2010-3437, Moderate) - A flaw was found in the way KVM (Kernel-based Virtual Machine) handled the reloading of fs and gs segment registers when they had invalid selectors. A privileged host user with access to '/dev/kvm' could use this flaw to crash the host. (CVE-2010-3698, Moderate) This update also fixes several bugs. The system must be rebooted for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1103&L=scientific-linux-errata&T=0&P=969 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0e931e2a" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/08"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"kernel-2.6.32-71.7.1.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-debug-2.6.32-71.7.1.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-debug-devel-2.6.32-71.7.1.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-devel-2.6.32-71.7.1.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-doc-2.6.32-71.7.1.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-firmware-2.6.32-71.7.1.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-headers-2.6.32-71.7.1.el6")) flag++; if (rpm_check(release:"SL6", reference:"perf-2.6.32-71.7.1.el6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0704.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Red Hat is aware that a public exploit for this issue is available. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 49634 published 2010-09-22 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49634 title CentOS 5 : kernel (CESA-2010:0704) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0704 and # CentOS Errata and Security Advisory 2010:0704 respectively. # include("compat.inc"); if (description) { script_id(49634); script_version("1.28"); script_cvs_date("Date: 2019/10/25 13:36:05"); script_cve_id("CVE-2010-3081", "CVE-2010-3301"); script_bugtraq_id(43239); script_xref(name:"RHSA", value:"2010:0704"); script_name(english:"CentOS 5 : kernel (CESA-2010:0704)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Red Hat is aware that a public exploit for this issue is available. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect." ); # https://lists.centos.org/pipermail/centos-announce/2010-September/017018.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?64606856" ); # https://lists.centos.org/pipermail/centos-announce/2010-September/017019.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fe7648c3" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/22"); script_set_attribute(attribute:"patch_publication_date", value:"2010/09/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"kernel-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-debug-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-debug-devel-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-devel-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-doc-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-headers-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-xen-2.6.18-194.11.4.el5")) flag++; if (rpm_check(release:"CentOS-5", reference:"kernel-xen-devel-2.6.18-194.11.4.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc"); }
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-198.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088) The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. (CVE-2009-3228) The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel node set. (CVE-2010-0415) The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620) The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. (CVE-2010-0622) The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function. (CVE-2009-2287) The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. (CVE-2009-3722) The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308) The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function. (CVE-2009-2846) Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. (CVE-2010-2521) mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643. (CVE-2008-7256) The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors. (CVE-2010-1162) mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. (CVE-2010-1643) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. (CVE-2010-1187) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248) Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors. (CVE-2010-2492) The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226) The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. (CVE-2010-2798) The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240) The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. (CVE-2010-2803) Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959) Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. (CVE-2010-3080) A vulnerability in Linux kernel caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the compat_alloc_user_space method with an arbitrary length input. (CVE-2010-3081) The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 49795 published 2010-10-08 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49795 title Mandriva Linux Security Advisory : kernel (MDVSA-2010:198) NASL family SuSE Local Security Checks NASL id SUSE_11_3_KERNEL-100921.NASL description This update of the openSUSE 11.3 kernel fixes two local root exploits, various other security issues and some bugs. Following security issues are fixed by this update: CVE-2010-3301: Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels. CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL code could be used to crash the kernel or potentially execute code. CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed. CVE-2010-2960: The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. CVE-2010-3080: A double free in an alsa error path was fixed, which could lead to kernel crashes. CVE-2010-3079: Fixed a ftrace NULL pointer dereference problem which could lead to kernel crashes. CVE-2010-3298: Fixed a kernel information leak in the net/usb/hso driver. CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver. CVE-2010-3297: Fixed a kernel information leak in the net/eql driver. last seen 2020-06-01 modified 2020-06-02 plugin id 75550 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75550 title openSUSE Security Update : kernel (openSUSE-SU-2010:0655-1) NASL family SuSE Local Security Checks NASL id SUSE9_12646.NASL description This updates the SUSE Linux Enterprise Server 9 kernel to fix various security issues and some bugs. The following security bugs were fixed : - Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. (CVE-2010-3081) - A kernel information leak via the WEXT ioctl was fixed. (CVE-2010-2955) - A kernel information leak via the XFS filesystem was fixed. (CVE-2010-3078) - A kernel information leak in the net eql code was fixed. (CVE-2010-3297) - The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226) - Fixed a kernel information leak in the net scheduler code. (CVE-2010-2942) - fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel allowed remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248) Additionally a data corruption bug in s390 was fixed : - A race between /proc/pid/stat and fork in the S390 kernel could lead to data corruption. last seen 2020-06-01 modified 2020-06-02 plugin id 49657 published 2010-09-23 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49657 title SuSE9 Security Update : the Linux kernel (YOU Patch Number 12646) NASL family Fedora Local Security Checks NASL id FEDORA_2010-14890.NASL description - Fix possible local privilege escalation on x86_64 systems (CVE-2010-3081, CVE-2010-3301). - Mitigate denial of service attack with large argument lists. - Fix possible hang on suspend introduced in 2.6.34.6-54 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 49297 published 2010-09-21 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49297 title Fedora 13 : kernel-2.6.34.7-56.fc13 (2010-14890) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-188.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088) The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. (CVE-2009-3228) The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel node set. (CVE-2010-0415) The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620) The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. (CVE-2010-0622) The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function. (CVE-2009-2287) The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. (CVE-2009-3722) The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308) The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function. (CVE-2009-2846) Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. (CVE-2010-2521) mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643. (CVE-2008-7256) The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors. (CVE-2010-1162) mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. (CVE-2010-1643) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. (CVE-2010-1187) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248) Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors. (CVE-2010-2492) The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226) The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. (CVE-2010-2798) The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240) The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. (CVE-2010-2803) Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959) Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. (CVE-2010-3080) A vulnerability in Linux kernel caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the compat_alloc_user_space method with an arbitrary length input. (CVE-2010-3081) The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 49666 published 2010-09-24 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49666 title Mandriva Linux Security Advisory : kernel (MDVSA-2010:188) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-100921.NASL description This security update of the SUSE Linux Enterprise 11 GA kernel fixes 3 critical security issues. Following security bugs were fixed : - Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels. (CVE-2010-3301) - Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. (CVE-2010-3081) - Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel allowed attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959) last seen 2020-06-01 modified 2020-06-02 plugin id 51611 published 2011-01-21 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51611 title SuSE 11 Security Update : Linux kernel (SAT Patch Number 3164) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-247.NASL description A vulnerability was discovered and corrected in the Linux 2.6 kernel : The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a stack pointer underflow issue, as exploited in the wild in September 2010. (CVE-2010-3081) The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301) Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. (CVE-2010-3015) Additionally, the kernel has been updated to the stable version 2.6.31.14. A timeout bug in bnx2 has been fixed. Muting and unmuting on VT1812/VT2002P now should work correctly. A fix for ACL decoding on NFS was added. Rebooting on Dell Precision WorkStation T7400 was corrected. Read balancing with RAID0 and RAID1 on drives larger then 2TB was also fixed. A more detailed description is available in the package changelog and related tickets. Thanks to Thomas Backlund and Herton Ronaldo Krzesinski for contributions in this update. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 50981 published 2010-12-06 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50981 title Mandriva Linux Security Advisory : kernel (MDVSA-2010:247) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0719.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 63955 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63955 title RHEL 4 : kernel (RHSA-2010:0719) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1119-1.NASL description Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hawkes discovered that the Linux kernel did not correctly validate memory ranges on 64bit kernels when allocating memory on behalf of 32bit system calls. On a 64bit system, a local attacker could perform malicious multicast getsockopt calls to gain root privileges. (CVE-2010-3081) Tavis Ormandy discovered that the IRDA subsystem did not correctly shut down. A local attacker could exploit this to cause the system to crash or possibly gain root privileges. (CVE-2010-2954) Brad Spengler discovered that the wireless extensions did not correctly validate certain request sizes. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955) Tavis Ormandy discovered that the session keyring did not correctly check for its parent. On systems without a default session keyring, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2960) Kees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges. (CVE-2010-2962) Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. (CVE-2010-2963) Robert Swiecki discovered that ftrace did not correctly handle mutexes. A local attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3079) Tavis Ormandy discovered that the OSS sequencer device did not correctly shut down. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3080) Dan Rosenberg discovered that the CD driver did not correctly check parameters. A local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2010-3437) Dan Rosenberg discovered that SCTP did not correctly handle HMAC calculations. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-3705) Kees Cook discovered that the ethtool interface did not correctly clear kernel memory. A local attacker could read kernel heap memory, leading to a loss of privacy. (CVE-2010-3861) Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3865) Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4164) Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165) Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249) Nelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2010-4342) Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks. (CVE-2010-4346) Dan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527) Dan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529) last seen 2020-06-01 modified 2020-06-02 plugin id 55077 published 2011-06-13 reporter Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55077 title USN-1119-1 : linux-ti-omap4 vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2010-14878.NASL description - Fix possible local privilege escalation on x86_64 systems (CVE-2010-3081, CVE-2010-3301). - Mitigate denial of service attack with large argument lists. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 49296 published 2010-09-21 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49296 title Fedora 12 : kernel-2.6.32.21-168.fc12 (2010-14878) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0705.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Red Hat is aware that a public exploit for this issue is available. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 63953 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63953 title RHEL 5 : kernel (RHSA-2010:0705) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0003.NASL description a. vCenter Server and vCenter Update Manager update Microsoft SQL Server 2005 Express Edition to Service Pack 3 Microsoft SQL Server 2005 Express Edition (SQL Express) distributed with vCenter Server 4.1 Update 1 and vCenter Update Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2 to SQL Express Service Pack 3, to address multiple security issues that exist in the earlier releases of Microsoft SQL Express. Customers using other database solutions need not update for these issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086, CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL Express Service Pack 3. b. vCenter Apache Tomcat Management Application Credential Disclosure The Apache Tomcat Manager application configuration file contains logon credentials that can be read by unprivileged local users. The issue is resolved by removing the Manager application in vCenter 4.1 Update 1. If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon credentials are not present in the configuration file after the update. VMware would like to thank Claudio Criscione of Secure Networking for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-2928 to this issue. c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version 1.6.0_21 Oracle (Sun) JRE update to version 1.6.0_21, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following name to the security issue fixed in Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886. d. vCenter Update Manager Oracle (Sun) JRE is updated to version 1.5.0_26 Oracle (Sun) JRE update to version 1.5.0_26, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566, CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573, CVE-2010-3565,CVE-2010-3568, CVE-2010-3569, CVE-2009-3555, CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562, CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572, CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541, CVE-2010-3574. e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28 Apache Tomcat updated to version 6.0.28, which addresses multiple security issues that existed in earlier releases of Apache Tomcat The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i and CVE-2009-3548. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157. f. vCenter Server third-party component OpenSSL updated to version 0.9.8n The version of the OpenSSL library in vCenter Server is updated to 0.9.8n. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0740 and CVE-2010-0433 to the issues addressed in this version of OpenSSL. g. ESX third-party component OpenSSL updated to version 0.9.8p The version of the ESX OpenSSL library is updated to 0.9.8p. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3864 and CVE-2010-2939 to the issues addressed in this update. h. ESXi third-party component cURL updated The version of cURL library in ESXi is updated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0734 to the issues addressed in this update. i. ESX third-party component pam_krb5 updated The version of pam_krb5 library is updated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3825 and CVE-2009-1384 to the issues addressed in the update. j. ESX third-party update for Service Console kernel The Service Console kernel is updated to include kernel version 2.6.18-194.11.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070, CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524, CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086, CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291, CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437, CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and CVE-2010-3081 to the issues addressed in the update. Notes : - The update also addresses the 64-bit compatibility mode stack pointer underflow issue identified by CVE-2010-3081. This issue was patched in an ESX 4.1 patch prior to the release of ESX 4.1 Update 1 and in a previous ESX 4.0 patch release. - The update also addresses CVE-2010-2240 for ESX 4.0. last seen 2020-06-01 modified 2020-06-02 plugin id 51971 published 2011-02-14 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51971 title VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0704.NASL description From Red Hat Security Advisory 2010:0704 : Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Red Hat is aware that a public exploit for this issue is available. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68103 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68103 title Oracle Linux 5 : kernel (ELSA-2010-0704) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0718.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 49744 published 2010-10-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49744 title RHEL 4 : kernel (RHSA-2010:0718) NASL family Scientific Linux Local Security Checks NASL id SL_20100921_KERNEL_ON_SL5_X.NASL description This update fixes the following security issue : - The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 60859 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60859 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0017.NASL description a. Service Console OS update for COS kernel package. This patch updates the Service Console kernel to fix a stack pointer underflow issue in the 32-bit compatibility layer. Exploitation of this issue could allow a local user to gain additional privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-3081 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50858 published 2010-12-01 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50858 title VMSA-2010-0017 : VMware ESX third-party update for Service Console kernel NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0718.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 49713 published 2010-10-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49713 title CentOS 4 : kernel (CESA-2010:0718) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2010-265-01.NASL description New kernel packages are available for Slackware x86_64 13.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 54887 published 2011-05-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54887 title Slackware current : 64-bit kernel (SSA:2010-265-01) NASL family Misc. NASL id VMWARE_VMSA-2011-0003_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - Apache Tomcat - Apache Tomcat Manager - cURL - Java Runtime Environment (JRE) - Kernel - Microsoft SQL Express - OpenSSL - pam_krb5 last seen 2020-06-01 modified 2020-06-02 plugin id 89674 published 2016-03-04 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89674 title VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0704.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Red Hat is aware that a public exploit for this issue is available. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 49639 published 2010-09-22 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49639 title RHEL 5 : kernel (RHSA-2010:0704) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-7164.NASL description This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several critical security issues. The following security issues were fixed : - Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. (CVE-2010-3081) - A kernel information leak via the WEXT ioctl was fixed. (CVE-2010-2955) - A kernel information leak via the XFS filesystem was fixed. (CVE-2010-3078) - A kernel information leak in the net eql code was fixed. (CVE-2010-3297) Additionally a data corruption bug in s390 was fixed : - A race between /proc/pid/stat and fork in the S390 kernel could lead to data corruption. last seen 2020-06-01 modified 2020-06-02 plugin id 59152 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59152 title SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7164) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0017_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by a memory allocation issue in the Linux 64-bit kernel due to a failure by the compat_alloc_user_space() function to properly allocate the user space memory required for the 32-bit compatibility layer. A local attacker can exploit this to gain elevated privileges by leveraging the ability of the compat_mc_getsockopt() function to control a certain length value. last seen 2020-06-01 modified 2020-06-02 plugin id 89743 published 2016-03-08 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89743 title VMware ESX Privilege Escalation (VMSA-2010-0017) (remote check) NASL family SuSE Local Security Checks NASL id SUSE_11_1_KERNEL-100921.NASL description This security update of the openSUSE 11.1 kernel fixes 3 critical security issues. Following security bugs were fixed: CVE-2010-3301: Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels. CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. CVE-2010-2959: Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel allowed attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. last seen 2020-06-01 modified 2020-06-02 plugin id 49668 published 2010-09-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49668 title openSUSE Security Update : kernel (openSUSE-SU-2010:0654-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-100920.NASL description This security update of the SUSE Linux Enterprise 11 GA kernel fixes 3 critical security issues. Following security bugs were fixed : - Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels. (CVE-2010-3301) - Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. (CVE-2010-3081) - Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel allowed attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959) last seen 2020-06-01 modified 2020-06-02 plugin id 50924 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50924 title SuSE 11 / 11.1 Security Update : Linux kernel (SAT Patch Numbers 3144 / 3147 / 3148 / 3163 / 3171) NASL family Fedora Local Security Checks NASL id FEDORA_2010-14832.NASL description Fix possible local privilege escalation on x86_64 systems (CVE-2010-3081, CVE-2010-3301). - NOTE: All users should update because of this bug. Fix denial of service attack with large argument lists. Add support for perl and python scripting to perf. Nouveau video driver fixes : - fix oops in acpi edid support - disable acceleration on nva3/nva5/nva8 - misc fixes from upstream + NVAF support Add support for the eject key on the Dell Studio 1555 fix rcu_dereference_check warning Restore appleir driver that got lost in the 2.6.35 rebase. Fix DMA in via-velocity network driver. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 49635 published 2010-09-22 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49635 title Fedora 14 : kernel-2.6.35.4-28.fc14 (2010-14832) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-101007.NASL description This SUSE Linux Enterprise 11 Service Pack 1 kernel contains various security fixes and lots of other bugfixes. The following security issues were fixed : - local users could crash the system by causing a NULL deref in the keyctl_session_to_parent() function. (CVE-2010-2960) - local users could crash the system by causing a NULL deref via IRDA sockets. (CVE-2010-2954) - local users could crash the system by causing a NULL deref in ftrace. (CVE-2010-3079) - several kernel functions could leak kernel stack memory contents. (CVE-2010-3078 / CVE-2010-3297 / CVE-2010-3298 / CVE-2010-3081 / CVE-2010-3296) - local users could cause dereference of an uninitialized pointer via /dev/sequencer. (CVE-2010-3080) - local users could corrupt kernel heap memory via ROSE sockets. (CVE-2010-3310) - local users could write to any kernel memory location via the i915 GEM ioctl interface Additionally this update restores the compat_alloc_userspace() inline function. (CVE-2010-2962) last seen 2020-06-01 modified 2020-06-02 plugin id 51612 published 2011-01-21 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51612 title SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 3276 / 3280 / 3284) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0718.NASL description From Red Hat Security Advisory 2010:0718 : Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68104 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68104 title Oracle Linux 4 : kernel (ELSA-2010-0718) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0842.NASL description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. [Updated 22 November 2010] The packages list in this erratum has been updated to include four missing debuginfo-common packages (one per architecture). No changes have been made to the original packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Missing sanity checks in the Intel i915 driver in the Linux kernel could allow a local, unprivileged user to escalate their privileges. (CVE-2010-2962, Important) * compat_alloc_user_space() in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) * A buffer overflow flaw in niu_get_ethtool_tcam_all() in the niu Ethernet driver in the Linux kernel, could allow a local user to cause a denial of service or escalate their privileges. (CVE-2010-3084, Important) * A flaw in the IA32 system call emulation provided in 64-bit Linux kernels could allow a local user to escalate their privileges. (CVE-2010-3301, Important) * A flaw in sctp_packet_config() in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 50629 published 2010-11-18 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50629 title RHEL 6 : kernel (RHSA-2010:0842) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-7160.NASL description This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several critical security issues. The following security issues were fixed : - Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. (CVE-2010-3081) - A kernel information leak via the WEXT ioctl was fixed. (CVE-2010-2955) - A kernel information leak via the XFS filesystem was fixed. (CVE-2010-3078) - A kernel information leak in the net eql code was fixed. (CVE-2010-3297) Additionally a data corruption bug in s390 was fixed : - A race between /proc/pid/stat and fork in the S390 kernel could lead to data corruption. last seen 2020-06-01 modified 2020-06-02 plugin id 49874 published 2010-10-11 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49874 title SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7160) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2110.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2010-2492 Andre Osterhues reported an issue in the eCryptfs subsystem. A buffer overflow condition may allow local users to cause a denial of service or gain elevated privileges. - CVE-2010-2954 Tavis Ormandy reported an issue in the irda subsystem which may allow local users to cause a denial of service via a NULL pointer dereference. - CVE-2010-3078 Dan Rosenberg discovered an issue in the XFS file system that allows local users to read potentially sensitive kernel memory. - CVE-2010-3080 Tavis Ormandy reported an issue in the ALSA sequencer OSS emulation layer. Local users with sufficient privileges to open /dev/sequencer (by default on Debian, this is members of the last seen 2020-06-01 modified 2020-06-02 plugin id 49276 published 2010-09-20 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49276 title Debian DSA-2110-1 : linux-2.6 - privilege escalation/denial of service/information leak NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-988-1.NASL description Ben Hawkes discovered that the Linux kernel did not correctly validate memory ranges on 64bit kernels when allocating memory on behalf of 32bit system calls. On a 64bit system, a local attacker could perform malicious multicast getsockopt calls to gain root privileges. (CVE-2010-3081) Ben Hawkes discovered that the Linux kernel did not correctly filter registers on 64bit kernels when performing 32bit system calls. On a 64bit system, a local attacker could manipulate 32bit system calls to gain root privileges. (Ubuntu 6.06 LTS and 8.04 LTS were not affected.) (CVE-2010-3301). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 49283 published 2010-09-20 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49283 title Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : linux, linux-source-2.6.15 vulnerabilities (USN-988-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0711.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Red Hat is aware that a public exploit for this issue is available. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 63954 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63954 title RHEL 5 : kernel (RHSA-2010:0711) NASL family SuSE Local Security Checks NASL id SUSE_11_2_KERNEL-100921.NASL description This openSUSE 11.2 kernel was updated to 2.6.31.14, fixing several security issues and bugs. A lot of ext4 filesystem stability fixes were also added. Following security issues have been fixed: CVE-2010-3301: Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels. CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL code could be used to crash the kernel or potentially execute code. CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed. CVE-2010-2960: The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel expects that a certain parent session keyring exists, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. CVE-2010-3080: A double free in an alsa error path was fixed, which could lead to kernel crashes. CVE-2010-3079: Fixed a ftrace NULL pointer dereference problem which could lead to kernel crashes. CVE-2010-3298: Fixed a kernel information leak in the net/usb/hso driver. CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver. CVE-2010-3297: Fixed a kernel information leak in the net/eql driver. CVE-2010-3078: Fixed a kernel information leak in the xfs filesystem. CVE-2010-2942: Fixed a kernel information leak in the net scheduler code. CVE-2010-2954: The irda_bind function in net/irda/af_irda.c in the Linux kernel did not properly handle failure of the irda_open_tsap function, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. CVE-2010-2226: The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file. CVE-2010-2946: The last seen 2020-06-01 modified 2020-06-02 plugin id 49671 published 2010-09-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49671 title openSUSE Security Update : kernel (openSUSE-SU-2010:0664-1)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0273.html
- http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0273.html
- http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0278.html
- http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0278.html
- http://blog.ksplice.com/2010/09/cve-2010-3081/
- http://blog.ksplice.com/2010/09/cve-2010-3081/
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c41d68a513c71e35a14f66d71782d27a79a81ea6
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c41d68a513c71e35a14f66d71782d27a79a81ea6
- http://isc.sans.edu/diary.html?storyid=9574
- http://isc.sans.edu/diary.html?storyid=9574
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
- http://marc.info/?l=oss-security&m=128461522230211&w=2
- http://marc.info/?l=oss-security&m=128461522230211&w=2
- http://secunia.com/advisories/42384
- http://secunia.com/advisories/42384
- http://secunia.com/advisories/43315
- http://secunia.com/advisories/43315
- http://sota.gen.nz/compat1/
- http://sota.gen.nz/compat1/
- http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.36-rc4-git2.log
- http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.36-rc4-git2.log
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:198
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:198
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:214
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:214
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:247
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:247
- http://www.redhat.com/support/errata/RHSA-2010-0758.html
- http://www.redhat.com/support/errata/RHSA-2010-0758.html
- http://www.redhat.com/support/errata/RHSA-2010-0842.html
- http://www.redhat.com/support/errata/RHSA-2010-0842.html
- http://www.redhat.com/support/errata/RHSA-2010-0882.html
- http://www.redhat.com/support/errata/RHSA-2010-0882.html
- http://www.securityfocus.com/archive/1/514938/30/30/threaded
- http://www.securityfocus.com/archive/1/514938/30/30/threaded
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
- http://www.vmware.com/security/advisories/VMSA-2010-0017.html
- http://www.vmware.com/security/advisories/VMSA-2010-0017.html
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
- http://www.vupen.com/english/advisories/2010/3083
- http://www.vupen.com/english/advisories/2010/3083
- http://www.vupen.com/english/advisories/2010/3117
- http://www.vupen.com/english/advisories/2010/3117
- http://www.vupen.com/english/advisories/2011/0298
- http://www.vupen.com/english/advisories/2011/0298
- https://access.redhat.com/kb/docs/DOC-40265
- https://access.redhat.com/kb/docs/DOC-40265
- https://bugzilla.redhat.com/show_bug.cgi?id=634457
- https://bugzilla.redhat.com/show_bug.cgi?id=634457