Vulnerabilities > CVE-2010-4079 - Information Exposure vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.

Vulnerable Configurations

Part Description Count
OS
Linux
1247
OS
Debian
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2126.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2010-2963 Kees Cook discovered an issue in the v4l 32-bit compatibility layer for 64-bit systems that allows local users with /dev/video write permission to overwrite arbitrary kernel memory, potentially leading to a privilege escalation. On Debian systems, access to /dev/video devices is restricted to members of the
    last seen2020-06-01
    modified2020-06-02
    plugin id50825
    published2010-11-29
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50825
    titleDebian DSA-2126-1 : linux-2.6 - privilege escalation/denial of service/information leak
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2126. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50825);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:23");
    
      script_cve_id("CVE-2010-2963", "CVE-2010-3067", "CVE-2010-3296", "CVE-2010-3297", "CVE-2010-3310", "CVE-2010-3432", "CVE-2010-3437", "CVE-2010-3442", "CVE-2010-3448", "CVE-2010-3477", "CVE-2010-3705", "CVE-2010-3848", "CVE-2010-3849", "CVE-2010-3850", "CVE-2010-3858", "CVE-2010-3859", "CVE-2010-3873", "CVE-2010-3874", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-4072", "CVE-2010-4073", "CVE-2010-4074", "CVE-2010-4078", "CVE-2010-4079", "CVE-2010-4080", "CVE-2010-4081", "CVE-2010-4083", "CVE-2010-4164");
      script_bugtraq_id(38607, 42529, 43221, 43229, 43353, 43368, 43480, 43551, 43701, 43787, 43809, 43810, 44242, 44301, 44354, 44630, 44642, 44661, 44665, 45054, 45055, 45058, 45062, 45063);
      script_xref(name:"DSA", value:"2126");
    
      script_name(english:"Debian DSA-2126-1 : linux-2.6 - privilege escalation/denial of service/information leak");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leak. The Common Vulnerabilities and Exposures project identifies the
    following problems :
    
      - CVE-2010-2963
        Kees Cook discovered an issue in the v4l 32-bit
        compatibility layer for 64-bit systems that allows local
        users with /dev/video write permission to overwrite
        arbitrary kernel memory, potentially leading to a
        privilege escalation. On Debian systems, access to
        /dev/video devices is restricted to members of the
        'video' group by default.
    
      - CVE-2010-3067
        Tavis Ormandy discovered an issue in the io_submit
        system call. Local users can cause an integer overflow
        resulting in a denial of service.
    
      - CVE-2010-3296
        Dan Rosenberg discovered an issue in the cxgb network
        driver that allows unprivileged users to obtain the
        contents of sensitive kernel memory.
    
      - CVE-2010-3297
        Dan Rosenberg discovered an issue in the eql network
        driver that allows local users to obtain the contents of
        sensitive kernel memory.
    
      - CVE-2010-3310
        Dan Rosenberg discovered an issue in the ROSE socket
        implementation. On systems with a rose device, local
        users can cause a denial of service (kernel memory
        corruption).
    
      - CVE-2010-3432
        Thomas Dreibholz discovered an issue in the SCTP
        protocol that permits a remote user to cause a denial of
        service (kernel panic).
    
      - CVE-2010-3437
        Dan Rosenberg discovered an issue in the pktcdvd driver.
        Local users with permission to open /dev/pktcdvd/control
        can obtain the contents of sensitive kernel memory or
        cause a denial of service. By default on Debian systems,
        this access is restricted to members of the group
        'cdrom'.
    
      - CVE-2010-3442
        Dan Rosenberg discovered an issue in the ALSA sound
        system. Local users with permission to open
        /dev/snd/controlC0 can create an integer overflow
        condition that causes a denial of service. By default on
        Debian systems, this access is restricted to members of
        the group 'audio'.
    
      - CVE-2010-3448
        Dan Jacobson reported an issue in the thinkpad-acpi
        driver. On certain Thinkpad systems, local users can
        cause a denial of service (X.org crash) by reading
        /proc/acpi/ibm/video.
    
      - CVE-2010-3477
        Jeff Mahoney discovered an issue in the Traffic Policing
        (act_police) module that allows local users to obtain
        the contents of sensitive kernel memory.
    
      - CVE-2010-3705
        Dan Rosenberg reported an issue in the HMAC processing
        code in the SCTP protocol that allows remote users to
        create a denial of service (memory corruption).
    
      - CVE-2010-3848
        Nelson Elhage discovered an issue in the Econet
        protocol. Local users can cause a stack overflow
        condition with large msg->msgiovlen values that can
        result in a denial of service or privilege escalation.
    
      - CVE-2010-3849
        Nelson Elhage discovered an issue in the Econet
        protocol. Local users can cause a denial of service
        (oops) if a NULL remote addr value is passed as a
        parameter to sendmsg().
    
      - CVE-2010-3850
        Nelson Elhage discovered an issue in the Econet
        protocol. Local users can assign econet addresses to
        arbitrary interfaces due to a missing capabilities
        check.
    
      - CVE-2010-3858
        Brad Spengler reported an issue in the setup_arg_pages()
        function. Due to a bounds-checking failure, local users
        can create a denial of service (kernel oops).
    
      - CVE-2010-3859
        Dan Rosenberg reported an issue in the TIPC protocol.
        When the tipc module is loaded, local users can gain
        elevated privileges via the sendmsg() system call.
    
      - CVE-2010-3873
        Dan Rosenberg reported an issue in the X.25 network
        protocol. Local users can cause heap corruption,
        resulting in a denial of service (kernel panic).
    
      - CVE-2010-3874
        Dan Rosenberg discovered an issue in the Control Area
        Network (CAN) subsystem on 64-bit systems. Local users
        may be able to cause a denial of service (heap
        corruption).
    
      - CVE-2010-3875
        Vasiliy Kulikov discovered an issue in the AX.25
        protocol. Local users can obtain the contents of
        sensitive kernel memory.
    
      - CVE-2010-3876
        Vasiliy Kulikov discovered an issue in the Packet
        protocol. Local users can obtain the contents of
        sensitive kernel memory.
    
      - CVE-2010-3877
        Vasiliy Kulikov discovered an issue in the TIPC
        protocol. Local users can obtain the contents of
        sensitive kernel memory.
    
      - CVE-2010-3880
        Nelson Elhage discovered an issue in the INET_DIAG
        subsystem. Local users can cause the kernel to execute
        unaudited INET_DIAG bytecode, resulting in a denial of
        service.
    
      - CVE-2010-4072
        Kees Cook discovered an issue in the System V shared
        memory subsystem. Local users can obtain the contents of
        sensitive kernel memory.
    
      - CVE-2010-4073
        Dan Rosenberg discovered an issue in the System V shared
        memory subsystem. Local users on 64-bit system can
        obtain the contents of sensitive kernel memory via the
        32-bit compatible semctl() system call.
    
      - CVE-2010-4074
        Dan Rosenberg reported issues in the mos7720 and mos7840
        drivers for USB serial converter devices. Local users
        with access to these devices can obtain the contents of
        sensitive kernel memory.
    
      - CVE-2010-4078
        Dan Rosenberg reported an issue in the framebuffer
        driver for SiS graphics chipsets (sisfb). Local users
        with access to the framebuffer device can obtain the
        contents of sensitive kernel memory via the
        FBIOGET_VBLANK ioctl.
    
      - CVE-2010-4079
        Dan Rosenberg reported an issue in the ivtvfb driver
        used for the Hauppauge PVR-350 card. Local users with
        access to the framebuffer device can obtain the contents
        of sensitive kernel memory via the FBIOGET_VBLANK ioctl.
    
      - CVE-2010-4080
        Dan Rosenberg discovered an issue in the ALSA driver for
        RME Hammerfall DSP audio devices. Local users with
        access to the audio device can obtain the contents of
        sensitive kernel memory via the
        SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.
    
      - CVE-2010-4081
        Dan Rosenberg discovered an issue in the ALSA driver for
        RME Hammerfall DSP MADI audio devices. Local users with
        access to the audio device can obtain the contents of
        sensitive kernel memory via the
        SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.
    
      - CVE-2010-4083
        Dan Rosenberg discovered an issue in the semctl system
        call. Local users can obtain the contents of sensitive
        kernel memory through usage of the semid_ds structure.
    
      - CVE-2010-4164
        Dan Rosenberg discovered an issue in the X.25 network
        protocol. Remote users can achieve a denial of service
        (infinite loop) by taking advantage of an integer
        underflow in the facility parsing code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-2963"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3067"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3296"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3297"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3310"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3432"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3437"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3442"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3448"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3477"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3705"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3848"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3849"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3850"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3858"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3859"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3873"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3874"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3875"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3876"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3877"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-3880"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4078"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4079"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4080"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4081"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4083"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-4164"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2010/dsa-2126"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the linux-2.6 and user-mode-linux packages.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 2.6.26-26lenny1.
    
    The following matrix lists additional source packages that were
    rebuilt for compatibility with or to take advantage of this update :
    
                            Debian 5.0 (lenny)     
      user-mode-linux        2.6.26-1um-2+26lenny1"
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-2.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/29");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"linux-doc-2.6.26", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-486", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-4kc-malta", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-5kc-malta", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-686-bigmem", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-alpha", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-arm", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-armel", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-hppa", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-i386", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-ia64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-mipsel", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-powerpc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-s390", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-all-sparc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-alpha-generic", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-alpha-legacy", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-alpha-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common-openvz", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common-vserver", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-common-xen", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-footbridge", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-iop32x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-itanium", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-ixp4xx", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-mckinley", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-openvz-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-openvz-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-orion5x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-parisc64-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-powerpc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-powerpc-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-powerpc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-r5k-cobalt", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-s390", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-s390x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sb1-bcm91250a", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sb1a-bcm91480b", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sparc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-sparc64-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-versatile", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-686-bigmem", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-itanium", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-mckinley", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-powerpc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-powerpc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-s390x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-vserver-sparc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-xen-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-headers-2.6.26-2-xen-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-486", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-4kc-malta", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-5kc-malta", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-686-bigmem", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-alpha-generic", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-alpha-legacy", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-alpha-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-footbridge", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-iop32x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-itanium", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-ixp4xx", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-mckinley", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-openvz-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-openvz-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-orion5x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-parisc64-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-powerpc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-powerpc-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-powerpc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-r5k-cobalt", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-s390", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-s390-tape", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-s390x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sb1-bcm91250a", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sb1a-bcm91480b", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sparc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-sparc64-smp", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-versatile", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-686-bigmem", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-itanium", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-mckinley", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-powerpc", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-powerpc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-s390x", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-vserver-sparc64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-xen-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-image-2.6.26-2-xen-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-libc-dev", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-manual-2.6.26", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-modules-2.6.26-2-xen-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-modules-2.6.26-2-xen-amd64", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-patch-debian-2.6.26", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-source-2.6.26", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-support-2.6.26-2", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"linux-tree-2.6.26", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"xen-linux-system-2.6.26-2-xen-686", reference:"2.6.26-26lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"xen-linux-system-2.6.26-2-xen-amd64", reference:"2.6.26-26lenny1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1054-1.NASL
    descriptionGleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874) Vasiliy Kulikov discovered that kvm did not correctly clear memory. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2010-3881) Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162) Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4164) Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165) Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175) Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243) Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249) It was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256) Nelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges. (CVE-2010-4258). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id51847
    published2011-02-02
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51847
    titleUbuntu 10.04 LTS / 10.10 : linux, linux-ec2 vulnerabilities (USN-1054-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1054-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(51847);
      script_version("1.11");
      script_cvs_date("Date: 2019/09/19 12:54:26");
    
      script_cve_id("CVE-2010-0435", "CVE-2010-3859", "CVE-2010-3873", "CVE-2010-3874", "CVE-2010-3881", "CVE-2010-4073", "CVE-2010-4079", "CVE-2010-4083", "CVE-2010-4158", "CVE-2010-4160", "CVE-2010-4162", "CVE-2010-4164", "CVE-2010-4165", "CVE-2010-4169", "CVE-2010-4175", "CVE-2010-4243", "CVE-2010-4249", "CVE-2010-4256", "CVE-2010-4258");
      script_xref(name:"USN", value:"1054-1");
    
      script_name(english:"Ubuntu 10.04 LTS / 10.10 : linux, linux-ec2 vulnerabilities (USN-1054-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Gleb Napatov discovered that KVM did not correctly check certain
    privileged operations. A local attacker with access to a guest kernel
    could exploit this to crash the host system, leading to a denial of
    service. (CVE-2010-0435)
    
    Dan Rosenberg discovered that the Linux kernel TIPC implementation
    contained multiple integer signedness errors. A local attacker could
    exploit this to gain root privileges. (CVE-2010-3859)
    
    Dan Rosenberg discovered that the Linux kernel X.25 implementation
    incorrectly parsed facilities. A remote attacker could exploit this to
    crash the kernel, leading to a denial of service. (CVE-2010-3873)
    
    Dan Rosenberg discovered that the CAN protocol on 64bit systems did
    not correctly calculate the size of certain buffers. A local attacker
    could exploit this to crash the system or possibly execute arbitrary
    code as the root user. (CVE-2010-3874)
    
    Vasiliy Kulikov discovered that kvm did not correctly clear memory. A
    local attacker could exploit this to read portions of the kernel
    stack, leading to a loss of privacy. (CVE-2010-3881)
    
    Dan Rosenberg discovered that IPC structures were not correctly
    initialized on 64bit systems. A local attacker could exploit this to
    read kernel stack memory, leading to a loss of privacy.
    (CVE-2010-4073)
    
    Dan Rosenberg discovered that the ivtv V4L driver did not correctly
    initialize certian structures. A local attacker could exploit this to
    read kernel stack memory, leading to a loss of privacy.
    (CVE-2010-4079)
    
    Dan Rosenberg discovered that the semctl syscall did not correctly
    clear kernel memory. A local attacker could exploit this to read
    kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)
    
    Dan Rosenberg discovered that the socket filters did not correctly
    initialize structure memory. A local attacker could create malicious
    filters to read portions of kernel stack memory, leading to a loss of
    privacy. (CVE-2010-4158)
    
    Dan Rosenberg discovered that the Linux kernel L2TP implementation
    contained multiple integer signedness errors. A local attacker could
    exploit this to to crash the kernel, or possibly gain root privileges.
    (CVE-2010-4160)
    
    Dan Rosenberg discovered that certain iovec operations did not
    calculate page counts correctly. A local attacker could exploit this
    to crash the system, leading to a denial of service. (CVE-2010-4162)
    
    Dan Rosenberg discovered multiple flaws in the X.25 facilities
    parsing. If a system was using X.25, a remote attacker could exploit
    this to crash the system, leading to a denial of service.
    (CVE-2010-4164)
    
    Steve Chen discovered that setsockopt did not correctly check MSS
    values. A local attacker could make a specially crafted socket call to
    crash the system, leading to a denial of service. (CVE-2010-4165)
    
    Dave Jones discovered that the mprotect system call did not correctly
    handle merged VMAs. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-4169)
    
    Dan Rosenberg discovered that the RDS protocol did not correctly check
    ioctl arguments. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-4175)
    
    Brad Spengler discovered that the kernel did not correctly account for
    userspace memory allocations during exec() calls. A local attacker
    could exploit this to consume all system memory, leading to a denial
    of service. (CVE-2010-4243)
    
    Vegard Nossum discovered that memory garbage collection was not
    handled correctly for active sockets. A local attacker could exploit
    this to allocate all available kernel memory, leading to a denial of
    service. (CVE-2010-4249)
    
    It was discovered that named pipes did not correctly handle certain
    fcntl calls. A local attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2010-4256)
    
    Nelson Elhage discovered that the kernel did not correctly handle
    process cleanup after triggering a recoverable kernel bug. If a local
    attacker were able to trigger certain kinds of kernel bugs, they could
    create a specially crafted process to gain root privileges.
    (CVE-2010-4258).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1054-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-source-2.6.32");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-ec2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-preempt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ec2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-preempt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.32");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.35");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tools-2.6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-tools-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/02/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(10\.04|10\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 10.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2010-0435", "CVE-2010-3859", "CVE-2010-3873", "CVE-2010-3874", "CVE-2010-3881", "CVE-2010-4073", "CVE-2010-4079", "CVE-2010-4083", "CVE-2010-4158", "CVE-2010-4160", "CVE-2010-4162", "CVE-2010-4164", "CVE-2010-4165", "CVE-2010-4169", "CVE-2010-4175", "CVE-2010-4243", "CVE-2010-4249", "CVE-2010-4256", "CVE-2010-4258");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-1054-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"10.04", pkgname:"linux-doc", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-ec2-doc", pkgver:"2.6.32-312.24")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-ec2-source-2.6.32", pkgver:"2.6.32-312.24")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-28", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-28-386", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-28-generic", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-28-generic-pae", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-28-preempt", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-28-server", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-312", pkgver:"2.6.32-312.24")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-headers-2.6.32-312-ec2", pkgver:"2.6.32-312.24")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-386", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-generic", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-generic-pae", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-lpia", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-preempt", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-server", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-versatile", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-28-virtual", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.32-312-ec2", pkgver:"2.6.32-312.24")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-libc-dev", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-source-2.6.32", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-tools-2.6.32-28", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-tools-common", pkgver:"2.6.32-28.55")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-doc", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-headers-2.6.35-25", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-headers-2.6.35-25-generic", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-headers-2.6.35-25-generic-pae", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-headers-2.6.35-25-server", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-headers-2.6.35-25-virtual", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-image-2.6.35-25-generic", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-image-2.6.35-25-generic-pae", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-image-2.6.35-25-server", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-image-2.6.35-25-versatile", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-image-2.6.35-25-virtual", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-libc-dev", pkgver:"2.6.35-1025.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-source-2.6.35", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-tools-2.6.35-25", pkgver:"2.6.35-25.44")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"linux-tools-common", pkgver:"2.6.35-25.44")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc / linux-ec2-doc / linux-ec2-source-2.6.32 / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1119-1.NASL
    descriptionDan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hawkes discovered that the Linux kernel did not correctly validate memory ranges on 64bit kernels when allocating memory on behalf of 32bit system calls. On a 64bit system, a local attacker could perform malicious multicast getsockopt calls to gain root privileges. (CVE-2010-3081) Tavis Ormandy discovered that the IRDA subsystem did not correctly shut down. A local attacker could exploit this to cause the system to crash or possibly gain root privileges. (CVE-2010-2954) Brad Spengler discovered that the wireless extensions did not correctly validate certain request sizes. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955) Tavis Ormandy discovered that the session keyring did not correctly check for its parent. On systems without a default session keyring, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2960) Kees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges. (CVE-2010-2962) Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. (CVE-2010-2963) Robert Swiecki discovered that ftrace did not correctly handle mutexes. A local attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3079) Tavis Ormandy discovered that the OSS sequencer device did not correctly shut down. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3080) Dan Rosenberg discovered that the CD driver did not correctly check parameters. A local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2010-3437) Dan Rosenberg discovered that SCTP did not correctly handle HMAC calculations. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-3705) Kees Cook discovered that the ethtool interface did not correctly clear kernel memory. A local attacker could read kernel heap memory, leading to a loss of privacy. (CVE-2010-3861) Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3865) Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4164) Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165) Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249) Nelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2010-4342) Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks. (CVE-2010-4346) Dan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527) Dan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)
    last seen2020-06-01
    modified2020-06-02
    plugin id55077
    published2011-06-13
    reporterUbuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55077
    titleUSN-1119-1 : linux-ti-omap4 vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1081-1.NASL
    descriptionIt was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698) Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3865) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248) Vegard Nossum discovered a leak in the kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id52500
    published2011-03-02
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/52500
    titleUbuntu 10.10 : linux vulnerabilities (USN-1081-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-0007.NASL
    descriptionUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. * Buffer overflow in eCryptfs. When /dev/ecryptfs has world-writable permissions (which it does not, by default, on Red Hat Enterprise Linux 6), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important) * Integer overflow in the RDS protocol implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important) * Missing boundary checks in the PPP over L2TP sockets implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4160, Important) * NULL pointer dereference in the igb driver. If both Single Root I/O Virtualization (SR-IOV) and promiscuous mode were enabled on an interface using igb, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important) * Missing initialization flaw in the XFS file system implementation, and in the network traffic policing implementation, could allow a local, unprivileged user to cause an information leak. (CVE-2010-3078, CVE-2010-3477, Moderate) * NULL pointer dereference in the Open Sound System compatible sequencer driver could allow a local, unprivileged user with access to /dev/sequencer to cause a denial of service. /dev/sequencer is only accessible to root and users in the audio group by default. (CVE-2010-3080, Moderate) * Flaw in the ethtool IOCTL handler could allow a local user to cause an information leak. (CVE-2010-3861, Moderate) * Flaw in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager. On 64-bit systems, writing the socket address may overflow the procname character array. (CVE-2010-3874, Moderate) * Flaw in the module for monitoring the sockets of INET transport protocols could allow a local, unprivileged user to cause a denial of service. (CVE-2010-3880, Moderate) * Missing boundary checks in the block layer implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, Moderate) * NULL pointer dereference in the Bluetooth HCI UART driver could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4242, Moderate) * Flaw in the Linux kernel CPU time clocks implementation for the POSIX clock interface could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4248, Moderate) * Flaw in the garbage collector for AF_UNIX sockets could allow a local, unprivileged user to trigger a denial of service. (CVE-2010-4249, Moderate) * Missing upper bound integer check in the AIO implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-3067, Low) * Missing initialization flaws could lead to information leaks. (CVE-2010-3298, CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low) * Missing initialization flaw in KVM could allow a privileged host user with access to /dev/kvm to cause an information leak. (CVE-2010-4525, Low) Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Thomas Pollet for reporting CVE-2010-3865; Dan Rosenberg for reporting CVE-2010-4160, CVE-2010-3078, CVE-2010-3874, CVE-2010-4162, CVE-2010-4163, CVE-2010-3298, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, and CVE-2010-4158; Kosuke Tatsukawa for reporting CVE-2010-4263; Tavis Ormandy for reporting CVE-2010-3080 and CVE-2010-3067; Kees Cook for reporting CVE-2010-3861 and CVE-2010-4072; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; Vegard Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876; and Stephan Mueller of atsec information security for reporting CVE-2010-4525.
    last seen2020-06-01
    modified2020-06-02
    plugin id51500
    published2011-01-12
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51500
    titleRHEL 6 : kernel (RHSA-2011:0007)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1187-1.NASL
    descriptionIt was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698) Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3865) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Vasiliy Kulikov discovered that kvm did not correctly clear memory. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2010-3881) Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248) Nelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2010-4342) Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks. (CVE-2010-4346) Dan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527) Dan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529) Dan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit. (CVE-2010-4565) Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044) Kees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656) Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463) Dan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521) Jens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695) Dan Rosenberg discovered that XFS did not correctly initialize memory. A local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711) Rafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712) Kees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726) Timo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010) Timo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012) Matthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1013) Marek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory. (CVE-2011-1016) Timo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017) Vasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service. (CVE-2011-1082) Neil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090) Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Timo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163) Dan Rosenberg discovered that some ALSA drivers did not correctly check the adapter index during ioctl calls. If this driver was loaded, a local attacker could make a specially crafted ioctl call to gain root privileges. (CVE-2011-1169) Vasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534) Vasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Julien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182) Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478) Dan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Tavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593) Oliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748) Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022) Vasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id55785
    published2011-08-09
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55785
    titleUbuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1187-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1093-1.NASL
    descriptionDan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leading to a denial of service. (CVE-2010-2478, CVE-2010-3084) Eric Dumazet discovered that many network functions could leak kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2942, CVE-2010-3477) Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy. (CVE-2010-2943) Tavis Ormandy discovered that the IRDA subsystem did not correctly shut down. A local attacker could exploit this to cause the system to crash or possibly gain root privileges. (CVE-2010-2954) Brad Spengler discovered that the wireless extensions did not correctly validate certain request sizes. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955) Tavis Ormandy discovered that the session keyring did not correctly check for its parent. On systems without a default session keyring, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2960) Kees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges. (CVE-2010-2962) Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. (CVE-2010-2963) Tavis Ormandy discovered that the AIO subsystem did not correctly validate certain parameters. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3067) Dan Rosenberg discovered that certain XFS ioctls leaked kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-3078) Robert Swiecki discovered that ftrace did not correctly handle mutexes. A local attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3079) Tavis Ormandy discovered that the OSS sequencer device did not correctly shut down. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3080) Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297, CVE-2010-3298) Dan Rosenberg discovered that the ROSE driver did not correctly check parameters. A local attacker with access to a ROSE network device could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3310) Thomas Dreibholz discovered that SCTP did not correctly handle appending packet chunks. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2010-3432) Dan Rosenberg discovered that the CD driver did not correctly check parameters. A local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2010-3437) Dan Rosenberg discovered that the Sound subsystem did not correctly validate parameters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3442) Dan Jacobson discovered that ThinkPad video output was not correctly access controlled. A local attacker could exploit this to hang the system, leading to a denial of service. (CVE-2010-3448) It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698) Dan Rosenberg discovered that SCTP did not correctly handle HMAC calculations. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-3705) Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Kees Cook discovered that the ethtool interface did not correctly clear kernel memory. A local attacker could read kernel heap memory, leading to a loss of privacy. (CVE-2010-3861) Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3865) Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Vasiliy Kulikov discovered that kvm did not correctly clear memory. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2010-3881) Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072) Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073) Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081) Dan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162) Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668) Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4164) Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165) Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175) Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248) Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249) Nelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges. (CVE-2010-4258) Krishna Gudipati discovered that the bfa adapter driver did not correctly initialize certain structures. A local attacker could read files in /sys to crash the system, leading to a denial of service. (CVE-2010-4343) Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks. (CVE-2010-4346) It was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526) Dan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527) An error was reported in the kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id65103
    published2013-03-08
    reporterUbuntu Security Notice (C) 2011-2013 Canonical, Inc. / NASL script (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/65103
    titleUbuntu 10.04 LTS / 10.10 : linux-mvl-dove vulnerabilities (USN-1093-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1072-1.NASL
    descriptionGleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435) Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy. (CVE-2010-2943) Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297) Dan Jacobson discovered that ThinkPad video output was not correctly access controlled. A local attacker could exploit this to hang the system, leading to a denial of service. (CVE-2010-3448) It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698) It was discovered that Xen did not correctly clean up threads. A local attacker in a guest system could exploit this to exhaust host system resources, leading to a denial of serivce. (CVE-2010-3699) Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072) Dan Rosenberg discovered that the USB subsystem did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4074) Dan Rosenberg discovered that the SiS video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4078) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id52475
    published2011-03-01
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/52475
    titleUbuntu 8.04 LTS : linux vulnerabilities (USN-1072-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1073-1.NASL
    descriptionGleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435) Dan Jacobson discovered that ThinkPad video output was not correctly access controlled. A local attacker could exploit this to hang the system, leading to a denial of service. (CVE-2010-3448) It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3865) Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073) Dan Rosenberg discovered that the USB subsystem did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4074) Dan Rosenberg discovered that the SiS video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4078) Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079) Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081) Dan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165) Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248) Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id52476
    published2011-03-01
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/52476
    titleUbuntu 9.10 : linux, linux-ec2 vulnerabilities (USN-1073-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-0007.NASL
    descriptionFrom Red Hat Security Advisory 2011:0007 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. * Buffer overflow in eCryptfs. When /dev/ecryptfs has world-writable permissions (which it does not, by default, on Red Hat Enterprise Linux 6), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important) * Integer overflow in the RDS protocol implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important) * Missing boundary checks in the PPP over L2TP sockets implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4160, Important) * NULL pointer dereference in the igb driver. If both Single Root I/O Virtualization (SR-IOV) and promiscuous mode were enabled on an interface using igb, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important) * Missing initialization flaw in the XFS file system implementation, and in the network traffic policing implementation, could allow a local, unprivileged user to cause an information leak. (CVE-2010-3078, CVE-2010-3477, Moderate) * NULL pointer dereference in the Open Sound System compatible sequencer driver could allow a local, unprivileged user with access to /dev/sequencer to cause a denial of service. /dev/sequencer is only accessible to root and users in the audio group by default. (CVE-2010-3080, Moderate) * Flaw in the ethtool IOCTL handler could allow a local user to cause an information leak. (CVE-2010-3861, Moderate) * Flaw in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager. On 64-bit systems, writing the socket address may overflow the procname character array. (CVE-2010-3874, Moderate) * Flaw in the module for monitoring the sockets of INET transport protocols could allow a local, unprivileged user to cause a denial of service. (CVE-2010-3880, Moderate) * Missing boundary checks in the block layer implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, Moderate) * NULL pointer dereference in the Bluetooth HCI UART driver could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4242, Moderate) * Flaw in the Linux kernel CPU time clocks implementation for the POSIX clock interface could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4248, Moderate) * Flaw in the garbage collector for AF_UNIX sockets could allow a local, unprivileged user to trigger a denial of service. (CVE-2010-4249, Moderate) * Missing upper bound integer check in the AIO implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-3067, Low) * Missing initialization flaws could lead to information leaks. (CVE-2010-3298, CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low) * Missing initialization flaw in KVM could allow a privileged host user with access to /dev/kvm to cause an information leak. (CVE-2010-4525, Low) Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Thomas Pollet for reporting CVE-2010-3865; Dan Rosenberg for reporting CVE-2010-4160, CVE-2010-3078, CVE-2010-3874, CVE-2010-4162, CVE-2010-4163, CVE-2010-3298, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, and CVE-2010-4158; Kosuke Tatsukawa for reporting CVE-2010-4263; Tavis Ormandy for reporting CVE-2010-3080 and CVE-2010-3067; Kees Cook for reporting CVE-2010-3861 and CVE-2010-4072; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; Vegard Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876; and Stephan Mueller of atsec information security for reporting CVE-2010-4525.
    last seen2020-06-01
    modified2020-06-02
    plugin id68177
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68177
    titleOracle Linux 6 : kernel (ELSA-2011-0007)

Redhat

advisories
  • rhsa
    idRHSA-2010:0958
  • rhsa
    idRHSA-2011:0007
rpms
  • kernel-rt-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-debug-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-debug-debuginfo-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-debug-devel-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-debuginfo-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-debuginfo-common-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-devel-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-doc-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-trace-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-trace-debuginfo-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-trace-devel-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-vanilla-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-vanilla-debuginfo-0:2.6.33.7-rt29.47.el5rt
  • kernel-rt-vanilla-devel-0:2.6.33.7-rt29.47.el5rt
  • perf-0:2.6.33.7-rt29.47.el5rt
  • perf-debuginfo-0:2.6.33.7-rt29.47.el5rt
  • kernel-0:2.6.32-71.14.1.el6
  • kernel-bootwrapper-0:2.6.32-71.14.1.el6
  • kernel-debug-0:2.6.32-71.14.1.el6
  • kernel-debug-debuginfo-0:2.6.32-71.14.1.el6
  • kernel-debug-devel-0:2.6.32-71.14.1.el6
  • kernel-debuginfo-0:2.6.32-71.14.1.el6
  • kernel-debuginfo-common-i686-0:2.6.32-71.14.1.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-71.14.1.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-71.14.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-71.14.1.el6
  • kernel-devel-0:2.6.32-71.14.1.el6
  • kernel-doc-0:2.6.32-71.14.1.el6
  • kernel-firmware-0:2.6.32-71.14.1.el6
  • kernel-headers-0:2.6.32-71.14.1.el6
  • kernel-kdump-0:2.6.32-71.14.1.el6
  • kernel-kdump-debuginfo-0:2.6.32-71.14.1.el6
  • kernel-kdump-devel-0:2.6.32-71.14.1.el6
  • perf-0:2.6.32-71.14.1.el6

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 45062 CVE ID: CVE-2010-4079 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel在实现上存在漏洞,本地攻击者可利用此漏洞获取敏感信息,从而有利于执行其他攻击。 V4L/DVB: ivtvfb: 防止读取未始化栈内存。FBIOGET_VBLANK device ioctl允许未授权用户读取16字节的未始化栈内存,因为在栈上公布的fb_vblank结构的“保留”的成员在复制给用户之前没有变更或清零。 Linux kernel 2.6.0 - 2.6.37 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.kernel.org/
idSSV:20277
last seen2017-11-19
modified2010-12-01
published2010-12-01
reporterRoot
titleLinux Kernel &quot;FBIOGET_VBLANK&quot; IOCTL本地信息泄露漏洞