Vulnerabilities > CVE-2011-1833 - Race Condition vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2012-0013.NASL description a. vCenter and ESX update to JRE 1.6.0 Update 31 The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012. b. vCenter Update Manager update to JRE 1.5.0 Update 36 The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple security issues. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical Patch Update Advisory for June 2012. c. Update to ESX/ESXi userworld OpenSSL library The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4180, CVE-2010-4252, CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues. d. Update to ESX service console OpenSSL RPM The service console OpenSSL RPM is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue. e. Update to ESX service console kernel The ESX service console kernel is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1833, CVE-2011-2484, CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363, CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324, CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583 to these issues. f. Update to ESX service console Perl RPM The ESX service console Perl RPM is updated to perl-5.8.8.32.1.8999.vmw to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2761, CVE-2010-4410, and CVE-2011-3597 to these issues. g. Update to ESX service console libxml2 RPMs The ESX service console libmxl2 RPMs are updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0841 to this issue. h. Update to ESX service console glibc RPM The ESX service console glibc RPM is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864 to these issue. i. Update to ESX service console GnuTLS RPM The ESX service console GnuTLS RPM is updated to version 1.4.1-7.el5_8.2 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-4128, CVE-2012-1569, and CVE-2012-1573 to these issues. j. Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS are updated to the following versions to resolve multiple security issues : - popt-1.10.2.3-28.el5_8 - rpm-4.4.2.3-28.el5_8 - rpm-libs-4.4.2.3-28.el5_8 - rpm-python-4.4.2.3-28.el5_8 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0060, CVE-2012-0061, and CVE-2012-0815 to these issues. k. Vulnerability in third-party Apache Struts component The version of Apache Struts in vCenter Operations has been updated to 2.3.4 which addresses an arbitrary file overwrite vulnerability. This vulnerability allows an attacker to create a denial of service by overwriting arbitrary files without authentication. The attacker would need to be on the same network as the system where vCOps is installed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0393 to this issue. Note: Apache struts 2.3.4 addresses the following issues as well : CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It was found that these do not affect vCOps. VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us. last seen 2020-06-01 modified 2020-06-02 plugin id 61747 published 2012-08-31 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61747 title VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2012-0013. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(61747); script_version("1.56"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/30"); script_cve_id("CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0830", "CVE-2010-2761", "CVE-2010-4180", "CVE-2010-4252", "CVE-2010-4410", "CVE-2011-0014", "CVE-2011-1020", "CVE-2011-1089", "CVE-2011-1833", "CVE-2011-2484", "CVE-2011-2496", "CVE-2011-2699", "CVE-2011-3188", "CVE-2011-3209", "CVE-2011-3363", "CVE-2011-3597", "CVE-2011-4108", "CVE-2011-4109", "CVE-2011-4110", "CVE-2011-4128", "CVE-2011-4132", "CVE-2011-4324", "CVE-2011-4325", "CVE-2011-4576", "CVE-2011-4577", "CVE-2011-4609", "CVE-2011-4619", "CVE-2012-0050", "CVE-2012-0060", "CVE-2012-0061", "CVE-2012-0207", "CVE-2012-0393", "CVE-2012-0815", "CVE-2012-0841", "CVE-2012-0864", "CVE-2012-1569", "CVE-2012-1573", "CVE-2012-1583", "CVE-2012-2110"); script_bugtraq_id(40063, 44199, 45145, 45163, 45164, 46264, 46567, 46740, 47321, 48383, 48802, 49108, 49289, 49626, 49911, 50311, 50609, 50663, 50755, 50798, 50898, 51194, 51257, 51281, 51343, 51366, 51439, 51467, 51563, 52009, 52010, 52011, 52012, 52013, 52014, 52015, 52016, 52017, 52018, 52019, 52020, 52107, 52161, 52201, 52667, 52668, 52865, 53136, 53139, 53158, 53946, 53947, 53948, 53949, 53950, 53951, 53952, 53953, 53954, 53956, 53958, 53959, 53960); script_xref(name:"VMSA", value:"2012-0013"); script_name(english:"VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi / ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. vCenter and ESX update to JRE 1.6.0 Update 31 The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012. b. vCenter Update Manager update to JRE 1.5.0 Update 36 The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple security issues. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical Patch Update Advisory for June 2012. c. Update to ESX/ESXi userworld OpenSSL library The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4180, CVE-2010-4252, CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues. d. Update to ESX service console OpenSSL RPM The service console OpenSSL RPM is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue. e. Update to ESX service console kernel The ESX service console kernel is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1833, CVE-2011-2484, CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363, CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324, CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583 to these issues. f. Update to ESX service console Perl RPM The ESX service console Perl RPM is updated to perl-5.8.8.32.1.8999.vmw to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2761, CVE-2010-4410, and CVE-2011-3597 to these issues. g. Update to ESX service console libxml2 RPMs The ESX service console libmxl2 RPMs are updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0841 to this issue. h. Update to ESX service console glibc RPM The ESX service console glibc RPM is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864 to these issue. i. Update to ESX service console GnuTLS RPM The ESX service console GnuTLS RPM is updated to version 1.4.1-7.el5_8.2 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-4128, CVE-2012-1569, and CVE-2012-1573 to these issues. j. Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS are updated to the following versions to resolve multiple security issues : - popt-1.10.2.3-28.el5_8 - rpm-4.4.2.3-28.el5_8 - rpm-libs-4.4.2.3-28.el5_8 - rpm-python-4.4.2.3-28.el5_8 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0060, CVE-2012-0061, and CVE-2012-0815 to these issues. k. Vulnerability in third-party Apache Struts component The version of Apache Struts in vCenter Operations has been updated to 2.3.4 which addresses an arbitrary file overwrite vulnerability. This vulnerability allows an attacker to create a denial of service by overwriting arbitrary files without authentication. The attacker would need to be on the same network as the system where vCOps is installed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0393 to this issue. Note: Apache struts 2.3.4 addresses the following issues as well : CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It was found that these do not affect vCOps. VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000197.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Java Applet Field Bytecode Verifier Cache Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/01"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2012-08-30"); flag = 0; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201209401-SG", patch_updates : make_list("ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG") ) ) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201209402-SG", patch_updates : make_list("ESX400-201305404-SG", "ESX400-201310402-SG") ) ) flag++; if (esx_check(ver:"ESX 4.0", patch:"ESX400-201209404-SG")) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201208101-SG", patch_updates : make_list("ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201208102-SG", patch_updates : make_list("ESX410-201301405-SG", "ESX410-201304402-SG", "ESX410-201307405-SG", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201208103-SG", patch_updates : make_list("ESX410-201307403-SG", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201208104-SG", patch_updates : make_list("ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201208105-SG", patch_updates : make_list("ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201208106-SG", patch_updates : make_list("ESX410-201307404-SG", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201208107-SG", patch_updates : make_list("ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESXi 4.1", patch : "ESXi410-201208101-SG", patch_updates : make_list("ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03") ) ) flag++; if (esx_check(ver:"ESXi 5.0", vib:"VMware:esx-base:5.0.0-1.25.912577")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1188-1.NASL description Vasiliy Kulikov and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to mount to arbitrary locations, leading to privilege escalation. (CVE-2011-1831) Vasiliy Kulikov and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to unmount to arbitrary locations, leading to a denial of service. (CVE-2011-1832) Vasiliy Kulikov and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested source directory. A local attacker could use this flaw to mount an arbitrary directory, possibly leading to information disclosure. A pending kernel update will provide the other half of the fix for this issue. (CVE-2011-1833) Dan Rosenberg and Marc Deslauriers discovered that eCryptfs incorrectly handled modifications to the mtab file when an error occurs. A local attacker could use this flaw to corrupt the mtab file, and possibly unmount arbitrary locations, leading to a denial of service. (CVE-2011-1834) Marc Deslauriers discovered that eCryptfs incorrectly handled keys when setting up an encrypted private directory. A local attacker could use this flaw to manipulate keys during creation of a new user. (CVE-2011-1835) Marc Deslauriers discovered that eCryptfs incorrectly handled permissions during recovery. A local attacker could use this flaw to possibly access another user last seen 2020-06-01 modified 2020-06-02 plugin id 55810 published 2011-08-10 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55810 title Ubuntu 10.04 LTS / 10.10 / 11.04 : ecryptfs-utils vulnerabilities (USN-1188-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1188-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(55810); script_version("1.10"); script_cvs_date("Date: 2019/09/19 12:54:27"); script_cve_id("CVE-2011-1831", "CVE-2011-1832", "CVE-2011-1833", "CVE-2011-1834", "CVE-2011-1835", "CVE-2011-1836", "CVE-2011-1837"); script_xref(name:"USN", value:"1188-1"); script_name(english:"Ubuntu 10.04 LTS / 10.10 / 11.04 : ecryptfs-utils vulnerabilities (USN-1188-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Vasiliy Kulikov and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to mount to arbitrary locations, leading to privilege escalation. (CVE-2011-1831) Vasiliy Kulikov and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested mountpoint. A local attacker could use this flaw to unmount to arbitrary locations, leading to a denial of service. (CVE-2011-1832) Vasiliy Kulikov and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested source directory. A local attacker could use this flaw to mount an arbitrary directory, possibly leading to information disclosure. A pending kernel update will provide the other half of the fix for this issue. (CVE-2011-1833) Dan Rosenberg and Marc Deslauriers discovered that eCryptfs incorrectly handled modifications to the mtab file when an error occurs. A local attacker could use this flaw to corrupt the mtab file, and possibly unmount arbitrary locations, leading to a denial of service. (CVE-2011-1834) Marc Deslauriers discovered that eCryptfs incorrectly handled keys when setting up an encrypted private directory. A local attacker could use this flaw to manipulate keys during creation of a new user. (CVE-2011-1835) Marc Deslauriers discovered that eCryptfs incorrectly handled permissions during recovery. A local attacker could use this flaw to possibly access another user's data during the recovery process. This issue only applied to Ubuntu 11.04. (CVE-2011-1836) Vasiliy Kulikov discovered that eCryptfs incorrectly handled lock counters. A local attacker could use this flaw to possibly overwrite arbitrary files. The default symlink restrictions in Ubuntu 10.10 and 11.04 should protect against this issue. (CVE-2011-1837). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1188-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected ecryptfs-utils package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ecryptfs-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/03"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(10\.04|10\.10|11\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 10.10 / 11.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"10.04", pkgname:"ecryptfs-utils", pkgver:"83-0ubuntu3.2.10.04.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"ecryptfs-utils", pkgver:"83-0ubuntu3.2.10.10.1")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"ecryptfs-utils", pkgver:"87-0ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ecryptfs-utils"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-1241.NASL description Updated ecryptfs-utils packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5 and 6. The setuid mount.ecryptfs_private utility allows users to mount an eCryptfs file system. This utility can only be run by users in the last seen 2020-06-01 modified 2020-06-02 plugin id 56273 published 2011-09-23 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56273 title CentOS 5 : ecryptfs-utils (CESA-2011:1241) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2011:1241 and # CentOS Errata and Security Advisory 2011:1241 respectively. # include("compat.inc"); if (description) { script_id(56273); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:06"); script_cve_id("CVE-2011-1831", "CVE-2011-1832", "CVE-2011-1833", "CVE-2011-1834", "CVE-2011-1835", "CVE-2011-1837", "CVE-2011-3145"); script_bugtraq_id(49108, 49287); script_xref(name:"RHSA", value:"2011:1241"); script_name(english:"CentOS 5 : ecryptfs-utils (CESA-2011:1241)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated ecryptfs-utils packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5 and 6. The setuid mount.ecryptfs_private utility allows users to mount an eCryptfs file system. This utility can only be run by users in the 'ecryptfs' group. A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of a requested mount point when mounting an encrypted file system. A local attacker could possibly use this flaw to escalate their privileges by mounting over an arbitrary directory. (CVE-2011-1831) A race condition flaw in umount.ecryptfs_private could allow a local attacker to unmount an arbitrary file system. (CVE-2011-1832) It was found that mount.ecryptfs_private did not handle certain errors correctly when updating the mtab (mounted file systems table) file, allowing a local attacker to corrupt the mtab file and possibly unmount an arbitrary file system. (CVE-2011-1834) An insecure temporary file use flaw was found in the ecryptfs-setup-private script. A local attacker could use this script to insert their own key that will subsequently be used by a new user, possibly giving the attacker access to the user's encrypted data if existing file permissions allow access. (CVE-2011-1835) A race condition flaw in mount.ecryptfs_private could allow a local attacker to overwrite arbitrary files. (CVE-2011-1837) A race condition flaw in the way temporary files were accessed in mount.ecryptfs_private could allow a malicious, local user to make arbitrary modifications to the mtab file. (CVE-2011-3145) A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of the directory to mount. A local attacker could use this flaw to mount (and then access) a directory they would otherwise not have access to. Note: The fix for this issue is incomplete until a kernel-space change is made. Future Red Hat Enterprise Linux 5 and 6 kernel updates will correct this issue. (CVE-2011-1833) Red Hat would like to thank the Ubuntu Security Team for reporting these issues. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1831, CVE-2011-1832, and CVE-2011-1833; Dan Rosenberg and Marc Deslauriers as the original reporters of CVE-2011-1834; Marc Deslauriers as the original reporter of CVE-2011-1835; and Vasiliy Kulikov of Openwall as the original reporter of CVE-2011-1837. Users of ecryptfs-utils are advised to upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2011-September/017811.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?52413165" ); # https://lists.centos.org/pipermail/centos-announce/2011-September/017812.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?db14ec10" ); # https://lists.centos.org/pipermail/centos-cr-announce/2011-September/000040.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?af9cba0b" ); # https://lists.centos.org/pipermail/centos-cr-announce/2011-September/000041.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2e894d9a" ); script_set_attribute( attribute:"solution", value:"Update the affected ecryptfs-utils packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ecryptfs-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ecryptfs-utils-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ecryptfs-utils-gui"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/03"); script_set_attribute(attribute:"patch_publication_date", value:"2011/09/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/09/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"ecryptfs-utils-75-5.el5_7.2")) flag++; if (rpm_check(release:"CentOS-5", reference:"ecryptfs-utils-devel-75-5.el5_7.2")) flag++; if (rpm_check(release:"CentOS-5", reference:"ecryptfs-utils-gui-75-5.el5_7.2")) flag++; if (flag) { cr_plugin_caveat = '\n' + 'NOTE: The security advisory associated with this vulnerability has a\n' + 'fixed package version that may only be available in the continuous\n' + 'release (CR) repository for CentOS, until it is present in the next\n' + 'point release of CentOS.\n\n' + 'If an equal or higher package level does not exist in the baseline\n' + 'repository for your major version of CentOS, then updates from the CR\n' + 'repository will need to be applied in order to address the\n' + 'vulnerability.\n'; security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + cr_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ecryptfs-utils / ecryptfs-utils-devel / ecryptfs-utils-gui"); }NASL family SuSE Local Security Checks NASL id SUSE_11_ECRYPTFS-UTILS-110804.NASL description This update of ecryptfs-utils fixes several security problems : - Race condition when checking mountpoint during mount. (CVE-2011-1831) - Race condition when checking mountpoint during unmount. (CVE-2011-1832) - Race condition when checking source during mount. (CVE-2011-1833) - Improper mtab handling allowing corruption due to resource limits, signals, etc. (CVE-2011-1834) last seen 2020-06-01 modified 2020-06-02 plugin id 55827 published 2011-08-12 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55827 title SuSE 11.1 Security Update : ecryptfs-utils (SAT Patch Number 4956) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(55827); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:42"); script_cve_id("CVE-2011-1831", "CVE-2011-1832", "CVE-2011-1833", "CVE-2011-1834", "CVE-2011-1835", "CVE-2011-1836", "CVE-2011-1837"); script_name(english:"SuSE 11.1 Security Update : ecryptfs-utils (SAT Patch Number 4956)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update of ecryptfs-utils fixes several security problems : - Race condition when checking mountpoint during mount. (CVE-2011-1831) - Race condition when checking mountpoint during unmount. (CVE-2011-1832) - Race condition when checking source during mount. (CVE-2011-1833) - Improper mtab handling allowing corruption due to resource limits, signals, etc. (CVE-2011-1834)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=709771" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1831.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1832.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1833.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1834.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1835.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1836.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1837.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 4956."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ecryptfs-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ecryptfs-utils-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, "SuSE 11.1"); flag = 0; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"ecryptfs-utils-61-1.29.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"ecryptfs-utils-61-1.29.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"ecryptfs-utils-32bit-61-1.29.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"ecryptfs-utils-61-1.29.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"ecryptfs-utils-32bit-61-1.29.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"ecryptfs-utils-32bit-61-1.29.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2011-10733.NASL description - privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) - race condition when checking source during mount (CVE-2011-1833) - mtab corruption via improper handling (CVE-2011-1834) - key poisoning via insecure temp directory handling (CVE-2011-1835) - information disclosure via recovery mount in /tmp (CVE-2011-1836) - arbitrary file overwrite via lock counter race (CVE-2011-1837) - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56076 published 2011-09-06 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56076 title Fedora 15 : ecryptfs-utils-90-1.fc15 (2011-10733) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-10733. # include("compat.inc"); if (description) { script_id(56076); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:33"); script_cve_id("CVE-2011-1831", "CVE-2011-1832", "CVE-2011-1834", "CVE-2011-1835", "CVE-2011-1837"); script_xref(name:"FEDORA", value:"2011-10733"); script_name(english:"Fedora 15 : ecryptfs-utils-90-1.fc15 (2011-10733)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) - race condition when checking source during mount (CVE-2011-1833) - mtab corruption via improper handling (CVE-2011-1834) - key poisoning via insecure temp directory handling (CVE-2011-1835) - information disclosure via recovery mount in /tmp (CVE-2011-1836) - arbitrary file overwrite via lock counter race (CVE-2011-1837) - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=729465" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-September/065042.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8d9e89ee" ); script_set_attribute( attribute:"solution", value:"Update the affected ecryptfs-utils package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ecryptfs-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/09/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC15", reference:"ecryptfs-utils-90-1.fc15")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ecryptfs-utils"); }NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2013-0039.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 79507 published 2014-11-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79507 title OracleVM 2.2 : kernel (OVMSA-2013-0039) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2013-0039. # include("compat.inc"); if (description) { script_id(79507); script_version("1.25"); script_cvs_date("Date: 2020/02/13"); script_cve_id("CVE-2006-6304", "CVE-2007-4567", "CVE-2009-0745", "CVE-2009-0746", "CVE-2009-0747", "CVE-2009-0748", "CVE-2009-1388", "CVE-2009-1389", "CVE-2009-1895", "CVE-2009-2406", "CVE-2009-2407", "CVE-2009-2692", "CVE-2009-2847", "CVE-2009-2848", "CVE-2009-2908", "CVE-2009-3080", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3612", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3726", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4067", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4307", "CVE-2009-4308", "CVE-2009-4536", "CVE-2009-4537", "CVE-2009-4538", "CVE-2010-0007", "CVE-2010-0415", "CVE-2010-0437", "CVE-2010-0622", "CVE-2010-0727", "CVE-2010-1083", "CVE-2010-1084", "CVE-2010-1086", "CVE-2010-1087", "CVE-2010-1088", "CVE-2010-1173", "CVE-2010-1188", "CVE-2010-1436", "CVE-2010-1437", "CVE-2010-1641", "CVE-2010-2226", "CVE-2010-2240", "CVE-2010-2248", "CVE-2010-2521", "CVE-2010-2798", "CVE-2010-2942", "CVE-2010-2963", "CVE-2010-3067", "CVE-2010-3078", "CVE-2010-3086", "CVE-2010-3296", "CVE-2010-3432", "CVE-2010-3442", "CVE-2010-3477", "CVE-2010-3858", "CVE-2010-3859", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-4073", "CVE-2010-4080", "CVE-2010-4081", "CVE-2010-4083", "CVE-2010-4157", "CVE-2010-4158", "CVE-2010-4242", "CVE-2010-4248", "CVE-2010-4249", "CVE-2010-4258", "CVE-2010-4346", "CVE-2010-4649", "CVE-2010-4655", "CVE-2011-0521", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1020", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1083", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1162", "CVE-2011-1163", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1577", "CVE-2011-1585", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1833", "CVE-2011-2022", "CVE-2011-2203", "CVE-2011-2213", "CVE-2011-2482", "CVE-2011-2484", "CVE-2011-2491", "CVE-2011-2496", "CVE-2011-2525", "CVE-2011-3191", "CVE-2011-3637", "CVE-2011-3638", "CVE-2011-4077", "CVE-2011-4086", "CVE-2011-4110", "CVE-2011-4127", "CVE-2011-4324", "CVE-2011-4330", "CVE-2011-4348", "CVE-2012-1583", "CVE-2012-2136"); script_bugtraq_id(35281, 35647, 35850, 35851, 35930, 36038, 36472, 36639, 36723, 36824, 36827, 36901, 36936, 37068, 37069, 37339, 37519, 37521, 37523, 37762, 37806, 38144, 38165, 38185, 38479, 38898, 39016, 39042, 39044, 39101, 39569, 39715, 39719, 39794, 40356, 40920, 42124, 42242, 42249, 42505, 42529, 43022, 43221, 43353, 43480, 43787, 43809, 44242, 44301, 44354, 44630, 44648, 44754, 44758, 45014, 45028, 45037, 45058, 45063, 45073, 45159, 45323, 45972, 45986, 46073, 46488, 46492, 46567, 46616, 46630, 46766, 46793, 46866, 46878, 47003, 47308, 47321, 47343, 47381, 47534, 47535, 47791, 47796, 47843, 48236, 48333, 48383, 48641, 48687, 49108, 49141, 49295, 49373, 50322, 50370, 50750, 50755, 50764, 50798, 51176, 51361, 51363, 51945, 53139, 53721); script_name(english:"OracleVM 2.2 : kernel (OVMSA-2013-0039)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2013-May/000153.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel Sendpage Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/14"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.2", reference:"kernel-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-PAE-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-PAE-devel-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-devel-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-ovs-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-ovs-devel-2.6.18-128.2.1.5.10.el5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-devel / kernel-ovs / etc"); }NASL family Scientific Linux Local Security Checks NASL id SL_20110831_ECRYPTFS_UTILS_ON_SL5_X.NASL description eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. The setuid mount.ecryptfs_private utility allows users to mount an eCryptfs file system. This utility can only be run by users in the last seen 2020-06-01 modified 2020-06-02 plugin id 61124 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61124 title Scientific Linux Security Update : ecryptfs-utils on SL5.x, SL6.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(61124); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2011-1831", "CVE-2011-3145"); script_name(english:"Scientific Linux Security Update : ecryptfs-utils on SL5.x, SL6.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. The setuid mount.ecryptfs_private utility allows users to mount an eCryptfs file system. This utility can only be run by users in the 'ecryptfs' group. A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of a requested mount point when mounting an encrypted file system. A local attacker could possibly use this flaw to escalate their privileges by mounting over an arbitrary directory. (CVE-2011-1831) A race condition flaw in umount.ecryptfs_private could allow a local attacker to unmount an arbitrary file system. (CVE-2011-1832) It was found that mount.ecryptfs_private did not handle certain errors correctly when updating the mtab (mounted file systems table) file, allowing a local attacker to corrupt the mtab file and possibly unmount an arbitrary file system. (CVE-2011-1834) An insecure temporary file use flaw was found in the ecryptfs-setup-private script. A local attacker could use this script to insert their own key that will subsequently be used by a new user, possibly giving the attacker access to the user's encrypted data if existing file permissions allow access. (CVE-2011-1835) A race condition flaw in mount.ecryptfs_private could allow a local attacker to overwrite arbitrary files. (CVE-2011-1837) A race condition flaw in the way temporary files were accessed in mount.ecryptfs_private could allow a malicious, local user to make arbitrary modifications to the mtab file. (CVE-2011-3145) A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of the directory to mount. A local attacker could use this flaw to mount (and then access) a directory they would otherwise not have access to. Note: The fix for this issue is incomplete until a kernel-space change is made. Future Scientific Linux 5 and 6 kernel updates will correct this issue. (CVE-2011-1833) Users of ecryptfs-utils are advised to upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1109&L=scientific-linux-errata&T=0&P=615 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4fe712e0" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/15"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL5", reference:"ecryptfs-utils-75-5.el5_7.2")) flag++; if (rpm_check(release:"SL5", reference:"ecryptfs-utils-debuginfo-75-5.el5_7.2")) flag++; if (rpm_check(release:"SL5", reference:"ecryptfs-utils-devel-75-5.el5_7.2")) flag++; if (rpm_check(release:"SL5", reference:"ecryptfs-utils-gui-75-5.el5_7.2")) flag++; if (rpm_check(release:"SL6", reference:"ecryptfs-utils-82-6.el6_1.3")) flag++; if (rpm_check(release:"SL6", reference:"ecryptfs-utils-debuginfo-82-6.el6_1.3")) flag++; if (rpm_check(release:"SL6", reference:"ecryptfs-utils-devel-82-6.el6_1.3")) flag++; if (rpm_check(release:"SL6", reference:"ecryptfs-utils-python-82-6.el6_1.3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_3_KERNEL-111026.NASL description The openSUSE 11.3 kernel was updated to fix various bugs and security issues. Following security issues have been fixed: CVE-2011-1833: Added a kernel option to ensure ecryptfs is mounting only on paths belonging to the current ui, which would have allowed local attackers to potentially gain privileges via symlink attacks. CVE-2011-3363: Always check the path in CIFS mounts to avoid interesting filesystem path interaction issues and potential crashes. CVE-2011-2918: In the perf framework software event overflows could deadlock or delete an uninitialized timer. CVE-2011-3353: In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system. CVE-2011-3191: A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host. CVE-2011-1776: The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel did not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allowed physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577. Following non security bugs were fixed : - drm/radeon/kms: Fix I2C mask definitions (bnc#712023). - ext4: Fix max file size and logical block counting of extent format file (bnc#706374). - TTY: pty, fix pty counting (bnc#711203). - Update Xen patches to 2.6.34.10. - xen/blkfront: fix data size for xenbus_gather in connect(). - xen/xenbus: fix xenbus_transaction_start() hang caused by double xenbus_transaction_end(). - xen/blkback: don last seen 2020-06-01 modified 2020-06-02 plugin id 75556 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75556 title openSUSE Security Update : kernel (openSUSE-SU-2011:1221-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1219-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Dan Rosenberg discovered that the IPv4 diagnostic routines did not correctly validate certain requests. A local attacker could exploit this to consume CPU resources, leading to a denial of service. (CVE-2011-2213) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Mauro Carvalho Chehab discovered that the si4713 radio driver did not correctly check the length of memory copies. If this hardware was available, a local attacker could exploit this to crash the system or gain root privileges. (CVE-2011-2700) Herbert Xu discovered that certain fields were incorrectly handled when Generic Receive Offload (CVE-2011-2723) The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56344 published 2011-09-30 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56344 title Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1219-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1227-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Dan Rosenberg discovered that the IPv4 diagnostic routines did not correctly validate certain requests. A local attacker could exploit this to consume CPU resources, leading to a denial of service. (CVE-2011-2213) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Mauro Carvalho Chehab discovered that the si4713 radio driver did not correctly check the length of memory copies. If this hardware was available, a local attacker could exploit this to crash the system or gain root privileges. (CVE-2011-2700) Herbert Xu discovered that certain fields were incorrectly handled when Generic Receive Offload (CVE-2011-2723) The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56466 published 2011-10-12 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56466 title Ubuntu 10.10 : linux vulnerabilities (USN-1227-1) NASL family Fedora Local Security Checks NASL id FEDORA_2011-10671.NASL description - privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) - race condition when checking source during mount (CVE-2011-1833) - mtab corruption via improper handling (CVE-2011-1834) - key poisoning via insecure temp directory handling (CVE-2011-1835) - information disclosure via recovery mount in /tmp (CVE-2011-1836) - arbitrary file overwrite via lock counter race (CVE-2011-1837) - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56095 published 2011-09-07 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56095 title Fedora 16 : ecryptfs-utils-90-1.fc16 (2011-10671) NASL family SuSE Local Security Checks NASL id SUSE_11_3_ECRYPTFS-UTILS-110811.NASL description This update of ecryptfs-utils fixes several security problems : - CVE-2011-1831 - Race condition when checking mountpoint during mount. - CVE-2011-1832 - Race condition when checking mountpoint during unmount. - CVE-2011-1833 - Race condition when checking source during mount. - CVE-2011-1834 - Improper mtab handling allowing corruption due to resource limits, signals, etc. - CVE-2011-1835 - Key poisoning in ecryptfs-setup-private due to insecure temp directory. - CVE-2011-1837 - Predictable lock counter name and associated races. last seen 2020-06-01 modified 2020-06-02 plugin id 75473 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75473 title openSUSE Security Update : ecryptfs-utils (openSUSE-SU-2011:0902-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1408.NASL description An updated rhev-hypervisor package that fixes several security issues is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. The RHBA-2011:1254 update introduced a regression in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 79280 published 2014-11-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79280 title RHEL 5 : rhev-hypervisor (RHSA-2011:1408) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1350.NASL description Updated kernel packages that fix several security issues, various bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important) * An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important) * A race condition flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56404 published 2011-10-06 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56404 title RHEL 6 : kernel (RHSA-2011:1350) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1245-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56644 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2013 Canonical, Inc. / NASL script (C) 2011-2013 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56644 title Ubuntu 10.10 : linux-mvl-dove vulnerabilities (USN-1245-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-111202.NASL description The SUSE Linux Enterprise 11 Service Pack 1 kernel has been updated to version 2.6.32.49 and fixes various bugs and security issues. - The TCP/IP initial sequence number generation effectively only used 24 bits of 32 to generate randomness, making a brute-force man-in-the-middle attack on TCP/IP connections feasible. The generator was changed to use full 32bit randomness. (CVE-2011-3188) - Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) - A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel. (CVE-2011-2203) - Added a kernel option to ensure ecryptfs is mounting only on paths belonging to the current ui, which would have allowed local attackers to potentially gain privileges via symlink attacks. (CVE-2011-1833) - The Generic Receive Offload (GRO) implementation in the Linux kernel allowed remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478. (CVE-2011-1576) - A name overflow in the hfs filesystem was fixed, where mounting a corrupted hfs filesystem could lead to a stack overflow and code execution in the kernel. This requires a local attacker to be able to mount hfs filesystems. (CVE-2011-4330) - A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326) The following non-security bugs have been fixed : - ALSA: hda - Fix S3/S4 problem on machines with VREF-pin mute-LED. (bnc#732535) - patches.xen/xen-pcpu-hotplug: Fix a double kfree(). - ixgbe: fix bug with vlan strip in promsic mode (bnc#687049, fate#311821). - ixgbe: fix panic when shutting down system with WoL enabled. - fnic: Allow users to modify dev_loss_tmo setting. (bnc#719786) - x86, intel: Do not mark sched_clock() as stable. (bnc#725709) - ALSA: hda - Keep vref-LED during power-saving on IDT codecs. (bnc#731981) - cifs: Assume passwords are encoded according to iocharset. (bnc#731035) - scsi_dh: Check queuedata pointer before proceeding. (bnc#714744) - netback: use correct index for invalidation in netbk_tx_check_mop(). - ACPI video: introduce module parameter video.use_bios_initial_backlight. (bnc#731229) - SUNRPC: prevent task_cleanup running on freed xprt. (bnc#709671) - add device entry for Broadcom Valentine combo card. (bnc#722429) - quota: Fix WARN_ON in lookup_one_len. (bnc#728626) - Update Xen patches to 2.6.32.48. - pv-on-hvm/kexec: add xs_reset_watches to shutdown watches from old kernel. (bnc#694863) - x86: undo_limit_pages() must reset page count. - mm/vmstat.c: cache align vm_stat. (bnc#729721) - s390/ccwgroup: fix uevent vs dev attrs race (bnc#659101,LTC#69028). - Warn on pagecache limit usage (FATE309111). - SCSI: st: fix race in st_scsi_execute_end. (bnc#720536) - ACPI: introduce last seen 2020-06-01 modified 2020-06-02 plugin id 57297 published 2011-12-14 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57297 title SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 5493 / 5510 / 5511) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1239-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56638 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56638 title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1239-1) NASL family Misc. NASL id VMWARE_VMSA-2012-0013_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries : - Apache Struts - glibc - GnuTLS - JRE - kernel - libxml2 - OpenSSL - Perl - popt and rpm last seen 2020-06-01 modified 2020-06-02 plugin id 89038 published 2016-02-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89038 title VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1202-1.NASL description Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297) Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073) Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077) Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081) Dan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162) Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668) Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175) Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242) Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248) It was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256) Dan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit. (CVE-2010-4565) Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044) Kees Cook discovered that some ethtool functions did not correctly clear heap memory. A local attacker with CAP_NET_ADMIN privileges could exploit this to read portions of kernel heap memory, leading to a loss of privacy. (CVE-2010-4655) Kees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656) Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463) Dan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521) Jens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695) Dan Rosenberg discovered that XFS did not correctly initialize memory. A local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711) Rafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712) Kees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726) Timo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010) Timo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012) Matthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1013) Marek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory. (CVE-2011-1016) Timo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017) Vasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019) It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service. (CVE-2011-1082) Neil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090) Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Timo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163) Dan Rosenberg discovered that some ALSA drivers did not correctly check the adapter index during ioctl calls. If this driver was loaded, a local attacker could make a specially crafted ioctl call to gain root privileges. (CVE-2011-1169) Vasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534) Vasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Julien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182) Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) Dan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Tavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593) Oliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748) Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022) Vasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746) Dan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484) It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2011-2492) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918) last seen 2020-06-01 modified 2020-06-02 plugin id 56190 published 2011-09-14 reporter Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56190 title USN-1202-1 : linux-ti-omap4 vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1256-1.NASL description It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478) It was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573) Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581) It was discovered that CIFS incorrectly handled authentication. When a user had a CIFS share mounted that required authentication, a local user could mount the same share without knowing the correct password. (CVE-2011-1585) It was discovered that the GRE protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ip_gre module was loading, and crash the system, leading to a denial of service. (CVE-2011-1767) It was discovered that the IP/IP protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ipip module was loading, and crash the system, leading to a denial of service. (CVE-2011-1768) Ben Greear discovered that CIFS did not correctly handle direct I/O. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-1771) Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Ben Hutchings reported a flaw in the kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56768 published 2011-11-10 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56768 title Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1256-1) NASL family SuSE Local Security Checks NASL id SUSE_11_4_ECRYPTFS-UTILS-110811.NASL description This update of ecryptfs-utils fixes several security problems : - CVE-2011-1831 - Race condition when checking mountpoint during mount. - CVE-2011-1832 - Race condition when checking mountpoint during unmount. - CVE-2011-1833 - Race condition when checking source during mount. - CVE-2011-1834 - Improper mtab handling allowing corruption due to resource limits, signals, etc. - CVE-2011-1835 - Key poisoning in ecryptfs-setup-private due to insecure temp directory. - CVE-2011-1837 - Predictable lock counter name and associated races. last seen 2020-06-01 modified 2020-06-02 plugin id 75821 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75821 title openSUSE Security Update : ecryptfs-utils (openSUSE-SU-2011:0902-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1386.NASL description From Red Hat Security Advisory 2011:1386 : Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 68375 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68375 title Oracle Linux 5 : kernel (ELSA-2011-1386) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1240-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56639 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2013 Canonical, Inc. / NASL script (C) 2011-2013 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56639 title Ubuntu 10.04 LTS : linux-mvl-dove vulnerabilities (USN-1240-1) NASL family SuSE Local Security Checks NASL id SUSE_11_4_KERNEL-111026.NASL description The openSUSE 11.4 kernel was updated to 2.6.37.6 fixing lots of bugs and security issues. Following security issues have been fixed: CVE-2011-1833: Added a kernel option to ensure ecryptfs is mounting only on paths belonging to the current ui, which would have allowed local attackers to potentially gain privileges via symlink attacks. CVE-2011-2695: Multiple off-by-one errors in the ext4 subsystem in the Linux kernel allowed local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer. CVE-2011-3363: Always check the path in CIFS mounts to avoid interesting filesystem path interaction issues and potential crashes. CVE-2011-2918: In the perf framework software event overflows could deadlock or delete an uninitialized timer. CVE-2011-3353: In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system. CVE-2011-2183: Fixed a race between ksmd and other memory management code, which could result in a NULL ptr dereference and kernel crash. CVE-2011-3191: A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host. CVE-2011-1776: The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel did not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allowed physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577. Following non-security bugs were fixed : - novfs: Unable to change password in the Novell Client for Linux (bnc#713229). - novfs: last modification time not reliable (bnc#642896). - novfs: unlink directory after unmap (bnc#649625). - fs: novfs: Fix exit handlers on local_unlink (bnc#649625). - novfs: last seen 2020-06-01 modified 2020-06-02 plugin id 75881 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75881 title openSUSE Security Update : kernel (openSUSE-SU-2011:1222-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1350.NASL description From Red Hat Security Advisory 2011:1350 : Updated kernel packages that fix several security issues, various bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important) * An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important) * A race condition flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 68364 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68364 title Oracle Linux 6 : kernel (ELSA-2011-1350) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1204-1.NASL description Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162) Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175) Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242) Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243) Alex Shi and Eric Dumazet discovered that the network stack did not correctly handle packet backlogs. A remote attacker could exploit this by sending a large amount of network traffic to cause the system to run out of memory, leading to a denial of service. (CVE-2010-4251, CVE-2010-4805) It was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526) Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044) Kees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726) Timo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010) Timo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012) Matthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1013) It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service. (CVE-2011-1082) Neil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090) Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Timo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163) Vasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534) Vasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Oliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598) Dan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484) It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2011-2492) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918) last seen 2020-06-01 modified 2020-06-02 plugin id 56192 published 2011-09-14 reporter Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56192 title USN-1204-1 : linux-fsl-imx51 vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1212-1.NASL description Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463) Timo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017) It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Vasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534) Vasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Julien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) Dan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581) Tavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593) Oliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748) Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022) Vasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746) Dan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770) Ben Greear discovered that CIFS did not correctly handle direct I/O. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-1771) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484) It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2011-2492) Sami Liedes discovered that ext4 did not correctly handle missing root inodes. A local attacker could trigger the mount of a specially crafted filesystem to cause the system to crash, leading to a denial of service. (CVE-2011-2493) It was discovered that GFS2 did not correctly check block sizes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2689) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918) last seen 2020-06-01 modified 2020-06-02 plugin id 56257 published 2011-09-22 reporter Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56257 title USN-1212-1 : linux-ti-omap4 vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1241.NASL description From Red Hat Security Advisory 2011:1241 : Updated ecryptfs-utils packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5 and 6. The setuid mount.ecryptfs_private utility allows users to mount an eCryptfs file system. This utility can only be run by users in the last seen 2020-06-01 modified 2020-06-02 plugin id 68338 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68338 title Oracle Linux 5 / 6 : ecryptfs-utils (ELSA-2011-1241) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2011-16.NASL description The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows remote attackers to cause a denial of service (system crash) via crafted network traffic. Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid. The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets. Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote CIFS servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large length value in a response to a read request for a directory. The Performance Events subsystem in the Linux kernel before 3.1 does not properly handle event overflows associated with PERF_COUNT_SW_CPU_CLOCK events, which allows local users to cause a denial of service (system hang) via a crafted application. last seen 2020-06-01 modified 2020-06-02 plugin id 69575 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69575 title Amazon Linux AMI : kernel (ALAS-2011-16) NASL family Scientific Linux Local Security Checks NASL id SL_20111020_KERNEL_ON_SL5_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : - The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) - IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 61162 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61162 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family Scientific Linux Local Security Checks NASL id SL_20111005_KERNEL_ON_SL6_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important) - An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important) - A race condition flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61148 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61148 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1211-1.NASL description It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2011-2492) It was discovered that GFS2 did not correctly check block sizes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2689) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918) A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56256 published 2011-09-22 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56256 title Ubuntu 11.04 : linux vulnerabilities (USN-1211-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-2029.NASL description Description of changes: * CVE-2011-2898: Information leak in packet subsystem Uninitialized struct padding in the packet subsystem led to an information leak of two bytes of kernel memory to userspace. * CVE-2011-2723: Remote denial of service vulnerability in gro. The skb_gro_header_slow function in the Linux kernel had a bug which allowed a remote attacker to put certain gro fields in an inconsistent state, resulting in a denial of service. * CVE-2011-2496: Local denial of service in mremap(). Robert Swiecki discovered that mremap() could be abused for local denial of service by triggering a BUG_ON assert. * CVE-2011-2484: Denial of service in taskstats subsystem. The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application. * CVE-2011-1833: Information disclosure in eCryptfs. Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested source directory. A local attacker could use this flaw to mount an arbitrary directory, possibly leading to information disclosure. [2.6.32-200.20.1.el6uek] - af_packet: prevent information leak {CVE-2011-2898} - gro: Only reset frag0 when skb can be pulled {CVE-2011-2723} - vm: fix vm_pgoff wrap in upward expansion {CVE-2011-2496} - taskstats: don last seen 2020-06-01 modified 2020-06-02 plugin id 68422 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68422 title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2029) NASL family Fedora Local Security Checks NASL id FEDORA_2011-12874.NASL description Fixes assorted CVEs CVE-2011-2918: perf: Fix software event overflow CVE-2011-3188: net: improve sequence number generation CVE-2011-2723: gro: Only reset frag0 when skb can be pulled CVE-2011-2928: befs: Validate length of long symbolic links CVE-2011-3191: cifs: fix possible memory corruption in CIFSFindNext CVE-2011-1833: ecryptfs: mount source TOCTOU race Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56416 published 2011-10-10 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56416 title Fedora 14 : kernel-2.6.35.14-97.fc14 (2011-12874) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2443.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-4307 Nageswara R Sastry reported an issue in the ext4 filesystem. Local users with the privileges to mount a filesystem can cause a denial of service (BUG) by providing a s_log_groups_per_flex value greater than 31. - CVE-2011-1833 Vasiliy Kulikov of Openwall and Dan Rosenberg discovered an information leak in the eCryptfs filesystem. Local users were able to mount arbitrary directories. - CVE-2011-4347 Sasha Levin reported an issue in the device assignment functionality in KVM. Local users with permission to access /dev/kvm could assign unused pci devices to a guest and cause a denial of service (crash). - CVE-2012-0045 Stephan Barwolf reported an issue in KVM. Local users in a 32-bit guest running on a 64-bit system can crash the guest with a syscall instruction. - CVE-2012-1090 CAI Qian reported an issue in the CIFS filesystem. A reference count leak can occur during the lookup of special files, resulting in a denial of service (oops) on umount. - CVE-2012-1097 H. Peter Anvin reported an issue in the regset infrastructure. Local users can cause a denial of service (NULL pointer dereference) by triggering the write methods of readonly regsets. last seen 2020-03-17 modified 2012-03-27 plugin id 58486 published 2012-03-27 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58486 title Debian DSA-2443-1 : linux-2.6 - privilege escalation/denial of service NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-1386.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 56569 published 2011-10-21 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56569 title CentOS 5 : kernel (CESA-2011:1386) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1241.NASL description Updated ecryptfs-utils packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5 and 6. The setuid mount.ecryptfs_private utility allows users to mount an eCryptfs file system. This utility can only be run by users in the last seen 2020-06-01 modified 2020-06-02 plugin id 56028 published 2011-09-01 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56028 title RHEL 5 / 6 : ecryptfs-utils (RHSA-2011:1241) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1386.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 56577 published 2011-10-21 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56577 title RHEL 5 : kernel (RHSA-2011:1386) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1253-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56747 published 2011-11-09 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56747 title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1253-1) NASL family Fedora Local Security Checks NASL id FEDORA_2011-10718.NASL description - privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) - race condition when checking source during mount (CVE-2011-1833) - mtab corruption via improper handling (CVE-2011-1834) - key poisoning via insecure temp directory handling (CVE-2011-1835) - information disclosure via recovery mount in /tmp (CVE-2011-1836) - arbitrary file overwrite via lock counter race (CVE-2011-1837) - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - improve logging messages of ecryptfs pam module - keep own copy of passphrase, pam clears it too early - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization - keyring from auth stack does not survive, use pam_data and delayed keyring initialization Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56075 published 2011-09-06 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56075 title Fedora 14 : ecryptfs-utils-90-1.fc14 (2011-10718)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/105078/USN-1202-1.txt |
| id | PACKETSTORM:105078 |
| last seen | 2016-12-05 |
| published | 2011-09-14 |
| reporter | Ubuntu |
| source | https://packetstormsecurity.com/files/105078/Ubuntu-Security-Notice-USN-1202-1.html |
| title | Ubuntu Security Notice USN-1202-1 |
Redhat
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=731172
- http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1
- https://github.com/torvalds/linux/commit/764355487ea220fdc2faf128d577d7f679b91f97
- http://www.ubuntu.com/usn/USN-1188-1
- http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00009.html
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=764355487ea220fdc2faf128d577d7f679b91f97