Vulnerabilities > CVE-2011-2479 - Resource Management Errors vulnerability in Linux Kernel

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
linux
CWE-399
nessus

Summary

The Linux kernel before 2.6.39 does not properly create transparent huge pages in response to a MAP_PRIVATE mmap system call on /dev/zero, which allows local users to cause a denial of service (system crash) via a crafted application.

Vulnerable Configurations

Part Description Count
OS
Linux
1309

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-0928.NASL
    descriptionFrom Red Hat Security Advisory 2011:0928 : Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * It was found that the receive hook in the ipip_init() function in the ipip module, and in the ipgre_init() function in the ip_gre module, could be called before network namespaces setup is complete. If packets were received at the time the ipip or ip_gre module was still being loaded into the kernel, it could cause a denial of service. (CVE-2011-1767, CVE-2011-1768, Moderate) * It was found that an mmap() call with the MAP_PRIVATE flag on
    last seen2020-06-01
    modified2020-06-02
    plugin id68305
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68305
    titleOracle Linux 6 : kernel (ELSA-2011-0928)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2011:0928 and 
    # Oracle Linux Security Advisory ELSA-2011-0928 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68305);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:09");
    
      script_cve_id("CVE-2011-1767", "CVE-2011-1768", "CVE-2011-2479");
      script_bugtraq_id(47852, 47853, 48347);
      script_xref(name:"RHSA", value:"2011:0928");
    
      script_name(english:"Oracle Linux 6 : kernel (ELSA-2011-0928)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2011:0928 :
    
    Updated kernel packages that fix multiple security issues and various
    bugs are now available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    This update fixes the following security issues :
    
    * It was found that the receive hook in the ipip_init() function in
    the ipip module, and in the ipgre_init() function in the ip_gre
    module, could be called before network namespaces setup is complete.
    If packets were received at the time the ipip or ip_gre module was
    still being loaded into the kernel, it could cause a denial of
    service. (CVE-2011-1767, CVE-2011-1768, Moderate)
    
    * It was found that an mmap() call with the MAP_PRIVATE flag on
    '/dev/zero' would create transparent hugepages and trigger a certain
    robustness check. A local, unprivileged user could use this flaw to
    cause a denial of service. (CVE-2011-2479, Moderate)
    
    This update also fixes various bugs. Documentation for these bug fixes
    will be available shortly from the Technical Notes document linked to
    in the References section.
    
    Users should upgrade to these updated packages, which contain
    backported patches to resolve these issues, and fix the bugs noted in
    the Technical Notes. The system must be rebooted for this update to
    take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2011-July/002228.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2011-1767", "CVE-2011-1768", "CVE-2011-2479");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2011-0928");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL6", rpm:"kernel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-2.6.32-131.6.1.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-debug-2.6.32") && rpm_check(release:"EL6", reference:"kernel-debug-2.6.32-131.6.1.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-debug-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-debug-devel-2.6.32-131.6.1.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-devel-2.6.32-131.6.1.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-doc-2.6.32") && rpm_check(release:"EL6", reference:"kernel-doc-2.6.32-131.6.1.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-firmware-2.6.32") && rpm_check(release:"EL6", reference:"kernel-firmware-2.6.32-131.6.1.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-headers-2.6.32") && rpm_check(release:"EL6", reference:"kernel-headers-2.6.32-131.6.1.el6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20110712_KERNEL_ON_SL6_X.NASL
    descriptionThe kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - It was found that the receive hook in the ipip_init() function in the ipip module, and in the ipgre_init() function in the ip_gre module, could be called before network namespaces setup is complete. If packets were received at the time the ipip or ip_gre module was still being loaded into the kernel, it could cause a denial of service. (CVE-2011-1767, CVE-2011-1768, Moderate) - It was found that an mmap() call with the MAP_PRIVATE flag on
    last seen2020-06-01
    modified2020-06-02
    plugin id61082
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61082
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(61082);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:19");
    
      script_cve_id("CVE-2011-1767", "CVE-2011-2479");
    
      script_name(english:"Scientific Linux Security Update : kernel on SL6.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    This update fixes the following security issues :
    
      - It was found that the receive hook in the ipip_init()
        function in the ipip module, and in the ipgre_init()
        function in the ip_gre module, could be called before
        network namespaces setup is complete. If packets were
        received at the time the ipip or ip_gre module was still
        being loaded into the kernel, it could cause a denial of
        service. (CVE-2011-1767, CVE-2011-1768, Moderate)
    
      - It was found that an mmap() call with the MAP_PRIVATE
        flag on '/dev/zero' would create transparent hugepages
        and trigger a certain robustness check. A local,
        unprivileged user could use this flaw to cause a denial
        of service. (CVE-2011-2479, Moderate)
    
    This update also fixes various bugs. Documentation for these bug fixes
    will be available shortly from the Technical Notes document linked to
    in the References section.
    
    Users should upgrade to these updated packages, which contain
    backported patches to resolve these issues, and fix the bugs noted in
    the Technical Notes. The system must be rebooted for this update to
    take effect."
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1107&L=scientific-linux-errata&T=0&P=1046
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?48cc8ba8"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL6", reference:"kernel-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-debug-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-debug-debuginfo-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-debug-devel-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-debuginfo-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", cpu:"i386", reference:"kernel-debuginfo-common-i686-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-devel-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-doc-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-firmware-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"kernel-headers-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"perf-2.6.32-131.6.1.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"perf-debuginfo-2.6.32-131.6.1.el6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1281-1.NASL
    descriptionAndrea Righi discovered a race condition in the KSM memory merging support. If KSM was being used, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2183) It was discovered that an mmap() call with the MAP_PRIVATE flag on
    last seen2020-06-01
    modified2020-06-02
    plugin id56949
    published2011-11-26
    reporterUbuntu Security Notice (C) 2011-2012 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56949
    titleUSN-1281-1 : linux-ti-omap4 vulnerabilities
    code
    # This script was automatically generated from Ubuntu Security
    # Notice USN-1281-1.  It is released under the Nessus Script 
    # Licence.
    #
    # Ubuntu Security Notices are (C) Canonical, Inc.
    # See http://www.ubuntu.com/usn/
    # Ubuntu(R) is a registered trademark of Canonical, Inc.
    
    if (!defined_func("bn_random")) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(56949);
      script_version("$Revision: 1.5 $");
      script_cvs_date("$Date: 2016/12/01 20:56:51 $");
    
     script_cve_id("CVE-2011-2183", "CVE-2011-2479", "CVE-2011-2491", "CVE-2011-2494", "CVE-2011-2495", "CVE-2011-2496", "CVE-2011-2517", "CVE-2011-2905", "CVE-2011-2909", "CVE-2011-3363");
      script_xref(name:"USN", value:"1281-1");
    
      script_name(english:"USN-1281-1 : linux-ti-omap4 vulnerabilities");
      script_summary(english:"Checks dpkg output for updated package(s)");
    
      script_set_attribute(attribute:"synopsis", value: 
    "The remote Ubuntu host is missing one or more security-related
    patches.");
      script_set_attribute(attribute:"description", value:
    "Andrea Righi discovered a race condition in the KSM memory merging
    support. If KSM was being used, a local attacker could exploit this
    to crash the system, leading to a denial of service. (CVE-2011-2183)
    
    It was discovered that an mmap() call with the MAP_PRIVATE flag on
    '/dev/zero' was incorrectly handled. A local attacker could exploit
    this to crash the system, leading to a denial of service.
    (CVE-2011-2479)
    
    Vasily Averin discovered that the NFS Lock Manager (NLM) incorrectly
    handled unlock requests. A local attacker could exploit this to cause
    a denial of service. (CVE-2011-2491)
    
    Vasiliy Kulikov discovered that taskstats did not enforce access
    restrictions. A local attacker could exploit this to read certain
    information, leading to a loss of privacy. (CVE-2011-2494)
    
    Vasiliy Kulikov discovered that /proc/PID/io did not enforce access
    restrictions. A local attacker could exploit this to read certain
    information, leading to a loss of privacy. (CVE-2011-2495)
    
    Robert Swiecki discovered that mapping extensions were incorrectly
    handled. A local attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2011-2496)
    
    It was discovered that the wireless stack incorrectly verified SSID
    lengths. A local attacker could exploit this to cause a denial of
    service or gain root privileges. (CVE-2011-2517)
    
    Christian Ohm discovered that the perf command looks for
    configuration files in the current directory. If a privileged user
    were tricked into running perf in a directory containing a malicious
    configuration file, an attacker could run arbitrary commands and
    possibly gain privileges. (CVE-2011-2905)
    
    Vasiliy Kulikov discovered that the Comedi driver did not correctly
    clear memory. A local attacker could exploit this to read kernel
    stack memory, leading to a loss of privacy. (CVE-2011-2909)
    
    Yogesh Sharma discovered that CIFS did not correctly handle UNCs that
    had no prefixpaths. A local attacker with access to a CIFS partition
    could exploit this to crash the system, leading to a denial of
    service. (CVE-2011-3363)");
      script_set_attribute(attribute:"see_also", value:"http://www.ubuntu.com/usn/usn-1281-1/");
      script_set_attribute(attribute:"solution", value:"Update the affected package(s).");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/11/24");
    
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/26");
      script_end_attributes();
        
      script_category(ACT_GATHER_INFO);
      script_family(english:"Ubuntu Local Security Checks");
    
      script_copyright("Ubuntu Security Notice (C) 2011-2012 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    include("ubuntu.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/Ubuntu/release")) exit(0, "The host is not running Ubuntu.");
    if (!get_kb_item("Host/Debian/dpkg-l")) exit(1, "Could not obtain the list of installed packages.");
    
    flag = 0;
    
    if (ubuntu_check(osver:"11.04", pkgname:"linux-image-2.6.38-1209-omap4", pkgver:"2.6.38-1209.17")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:ubuntu_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1167-1.NASL
    descriptionAristide Fattori and Roberto Paleari reported a flaw in the Linux kernel
    last seen2020-03-18
    modified2011-07-14
    plugin id55591
    published2011-07-14
    reporterUbuntu Security Notice (C) 2011-2020 Canonical, Inc. / NASL script (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55591
    titleUbuntu 11.04 : linux vulnerabilities (USN-1167-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1167-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(55591);
      script_version("1.15");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");
    
      script_cve_id("CVE-2010-3859", "CVE-2010-3874", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-4158", "CVE-2010-4162", "CVE-2010-4163", "CVE-2010-4164", "CVE-2010-4165", "CVE-2010-4169", "CVE-2010-4175", "CVE-2010-4243", "CVE-2010-4248", "CVE-2010-4249", "CVE-2010-4250", "CVE-2010-4256", "CVE-2010-4258", "CVE-2010-4342", "CVE-2010-4346", "CVE-2010-4527", "CVE-2010-4529", "CVE-2010-4565", "CVE-2010-4649", "CVE-2010-4668", "CVE-2011-0463", "CVE-2011-0521", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-0999", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1076", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1083", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1169", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1479", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1593", "CVE-2011-1598", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1747", "CVE-2011-1748", "CVE-2011-1759", "CVE-2011-1770", "CVE-2011-1771", "CVE-2011-1776", "CVE-2011-1927", "CVE-2011-2022", "CVE-2011-2479", "CVE-2011-2496", "CVE-2011-2498", "CVE-2011-2534", "CVE-2011-3359", "CVE-2011-3363", "CVE-2011-4913");
      script_bugtraq_id(44354, 44630, 44661, 44665, 44758, 44793, 44830, 44861, 44921, 45004, 45028, 45037, 45055, 45125, 45159, 45321, 45323, 45556, 45629, 45660, 45986, 46073, 46417, 46419, 46442, 46488, 46492, 46557, 46732, 46839, 47116, 47639, 47791, 47792);
      script_xref(name:"USN", value:"1167-1");
    
      script_name(english:"Ubuntu 11.04 : linux vulnerabilities (USN-1167-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Aristide Fattori and Roberto Paleari reported a flaw in the Linux
    kernel's handling of IPv4 icmp packets. A remote user could exploit
    this to cause a denial of service. (CVE-2011-1927)
    
    Goldwyn Rodrigues discovered that the OCFS2 filesystem did not
    correctly clear memory when writing certain file holes. A local
    attacker could exploit this to read uninitialized data from the disk,
    leading to a loss of privacy. (CVE-2011-0463)
    
    Timo Warns discovered that the LDM disk partition handling code did
    not correctly handle certain values. By inserting a specially crafted
    disk device, a local attacker could exploit this to gain root
    privileges. (CVE-2011-1017)
    
    Vasiliy Kulikov discovered that the Bluetooth stack did not correctly
    clear memory. A local attacker could exploit this to read kernel stack
    memory, leading to a loss of privacy. (CVE-2011-1078)
    
    Vasiliy Kulikov discovered that the Bluetooth stack did not correctly
    check that device name strings were NULL terminated. A local attacker
    could exploit this to crash the system, leading to a denial of
    service, or leak contents of kernel stack memory, leading to a loss of
    privacy. (CVE-2011-1079)
    
    Vasiliy Kulikov discovered that bridge network filtering did not check
    that name fields were NULL terminated. A local attacker could exploit
    this to leak contents of kernel stack memory, leading to a loss of
    privacy. (CVE-2011-1080)
    
    Johan Hovold discovered that the DCCP network stack did not correctly
    handle certain packet combinations. A remote attacker could send
    specially crafted network traffic that would crash the system, leading
    to a denial of service. (CVE-2011-1093)
    
    Peter Huewe discovered that the TPM device did not correctly
    initialize memory. A local attacker could exploit this to read kernel
    heap memory contents, leading to a loss of privacy. (CVE-2011-1160)
    
    Vasiliy Kulikov discovered that the netfilter code did not check
    certain strings copied from userspace. A local attacker with netfilter
    access could exploit this to read kernel memory or crash the system,
    leading to a denial of service. (CVE-2011-1170, CVE-2011-1171,
    CVE-2011-1172, CVE-2011-2534)
    
    Vasiliy Kulikov discovered that the Acorn Universal Networking driver
    did not correctly initialize memory. A remote attacker could send
    specially crafted traffic to read kernel stack memory, leading to a
    loss of privacy. (CVE-2011-1173)
    
    Dan Rosenberg discovered that the IRDA subsystem did not correctly
    check certain field sizes. If a system was using IRDA, a remote
    attacker could send specially crafted traffic to crash the system or
    gain root privileges. (CVE-2011-1180)
    
    Dan Rosenberg reported errors in the OSS (Open Sound System) MIDI
    interface. A local attacker on non-x86 systems might be able to cause
    a denial of service. (CVE-2011-1476)
    
    Dan Rosenberg reported errors in the kernel's OSS (Open Sound System)
    driver for Yamaha FM synthesizer chips. A local user can exploit this
    to cause memory corruption, causing a denial of service or privilege
    escalation. (CVE-2011-1477)
    
    It was discovered that the security fix for CVE-2010-4250 introduced a
    regression. A remote attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2011-1479)
    
    Dan Rosenberg discovered that MPT devices did not correctly validate
    certain values in ioctl calls. If these drivers were loaded, a local
    attacker could exploit this to read arbitrary kernel memory, leading
    to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)
    
    Tavis Ormandy discovered that the pidmap function did not correctly
    handle large requests. A local attacker could exploit this to crash
    the system, leading to a denial of service. (CVE-2011-1593)
    
    Oliver Hartkopp and Dave Jones discovered that the CAN network driver
    did not correctly validate certain socket structures. If this driver
    was loaded, a local attacker could crash the system, leading to a
    denial of service. (CVE-2011-1598, CVE-2011-1748)
    
    Vasiliy Kulikov discovered that the AGP driver did not check certain
    ioctl values. A local attacker with access to the video subsystem
    could exploit this to crash the system, leading to a denial of
    service, or possibly gain root privileges. (CVE-2011-1745,
    CVE-2011-2022)
    
    Vasiliy Kulikov discovered that the AGP driver did not check the size
    of certain memory allocations. A local attacker with access to the
    video subsystem could exploit this to run the system out of memory,
    leading to a denial of service. (CVE-2011-1746)
    
    Dan Rosenberg reported an error in the old ABI compatibility layer of
    ARM kernels. A local attacker could exploit this flaw to cause a
    denial of service or gain root privileges. (CVE-2011-1759)
    
    Dan Rosenberg discovered that the DCCP stack did not correctly handle
    certain packet structures. A remote attacker could exploit this to
    crash the system, leading to a denial of service. (CVE-2011-1770)
    
    Ben Greear discovered that CIFS did not correctly handle direct I/O. A
    local attacker with access to a CIFS partition could exploit this to
    crash the system, leading to a denial of service. (CVE-2011-1771)
    
    Timo Warns discovered that the EFI GUID partition table was not
    correctly parsed. A physically local attacker that could insert
    mountable devices could exploit this to crash the system or possibly
    gain root privileges. (CVE-2011-1776)
    
    It was discovered that an mmap() call with the MAP_PRIVATE flag on
    '/dev/zero' was incorrectly handled. A local attacker could exploit
    this to crash the system, leading to a denial of service.
    (CVE-2011-2479)
    
    Robert Swiecki discovered that mapping extensions were incorrectly
    handled. A local attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2011-2496)
    
    The linux kernel did not properly account for PTE pages when deciding
    which task to kill in out of memory conditions. A local, unprivileged
    could exploit this flaw to cause a denial of service. (CVE-2011-2498)
    
    A flaw was found in the b43 driver in the Linux kernel. An attacker
    could use this flaw to cause a denial of service if the system has an
    active wireless interface using the b43 driver. (CVE-2011-3359)
    
    Yogesh Sharma discovered that CIFS did not correctly handle UNCs that
    had no prefixpaths. A local attacker with access to a CIFS partition
    could exploit this to crash the system, leading to a denial of
    service. (CVE-2011-3363)
    
    Dan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used
    by amateur radio. A local user or a remote user on an X.25 network
    could exploit these flaws to execute arbitrary code as root.
    (CVE-2011-4913).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1167-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2011-2020 Canonical, Inc. / NASL script (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(11\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 11.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2010-3859", "CVE-2010-3874", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-4158", "CVE-2010-4162", "CVE-2010-4163", "CVE-2010-4164", "CVE-2010-4165", "CVE-2010-4169", "CVE-2010-4175", "CVE-2010-4243", "CVE-2010-4248", "CVE-2010-4249", "CVE-2010-4250", "CVE-2010-4256", "CVE-2010-4258", "CVE-2010-4342", "CVE-2010-4346", "CVE-2010-4527", "CVE-2010-4529", "CVE-2010-4565", "CVE-2010-4649", "CVE-2010-4668", "CVE-2011-0463", "CVE-2011-0521", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-0999", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1076", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1083", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1169", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1479", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1593", "CVE-2011-1598", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1747", "CVE-2011-1748", "CVE-2011-1759", "CVE-2011-1770", "CVE-2011-1771", "CVE-2011-1776", "CVE-2011-1927", "CVE-2011-2022", "CVE-2011-2479", "CVE-2011-2496", "CVE-2011-2498", "CVE-2011-2534", "CVE-2011-3359", "CVE-2011-3363", "CVE-2011-4913");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-1167-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"11.04", pkgname:"linux-image-2.6.38-10-generic", pkgver:"2.6.38-10.46")) flag++;
    if (ubuntu_check(osver:"11.04", pkgname:"linux-image-2.6.38-10-generic-pae", pkgver:"2.6.38-10.46")) flag++;
    if (ubuntu_check(osver:"11.04", pkgname:"linux-image-2.6.38-10-server", pkgver:"2.6.38-10.46")) flag++;
    if (ubuntu_check(osver:"11.04", pkgname:"linux-image-2.6.38-10-versatile", pkgver:"2.6.38-10.46")) flag++;
    if (ubuntu_check(osver:"11.04", pkgname:"linux-image-2.6.38-10-virtual", pkgver:"2.6.38-10.46")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-2.6-generic / linux-image-2.6-generic-pae / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1256-1.NASL
    descriptionIt was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478) It was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573) Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581) It was discovered that CIFS incorrectly handled authentication. When a user had a CIFS share mounted that required authentication, a local user could mount the same share without knowing the correct password. (CVE-2011-1585) It was discovered that the GRE protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ip_gre module was loading, and crash the system, leading to a denial of service. (CVE-2011-1767) It was discovered that the IP/IP protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ipip module was loading, and crash the system, leading to a denial of service. (CVE-2011-1768) Ben Greear discovered that CIFS did not correctly handle direct I/O. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-1771) Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Ben Hutchings reported a flaw in the kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id56768
    published2011-11-10
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/56768
    titleUbuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1256-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1256-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(56768);
      script_version("1.18");
      script_cvs_date("Date: 2019/09/19 12:54:27");
    
      script_cve_id("CVE-2010-4250", "CVE-2011-1020", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1180", "CVE-2011-1478", "CVE-2011-1479", "CVE-2011-1493", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1577", "CVE-2011-1581", "CVE-2011-1585", "CVE-2011-1767", "CVE-2011-1768", "CVE-2011-1771", "CVE-2011-1776", "CVE-2011-1833", "CVE-2011-2182", "CVE-2011-2183", "CVE-2011-2213", "CVE-2011-2479", "CVE-2011-2484", "CVE-2011-2491", "CVE-2011-2492", "CVE-2011-2493", "CVE-2011-2494", "CVE-2011-2495", "CVE-2011-2496", "CVE-2011-2497", "CVE-2011-2517", "CVE-2011-2525", "CVE-2011-2689", "CVE-2011-2695", "CVE-2011-2699", "CVE-2011-2700", "CVE-2011-2723", "CVE-2011-2905", "CVE-2011-2909", "CVE-2011-2918", "CVE-2011-2928", "CVE-2011-2942", "CVE-2011-3188", "CVE-2011-3191", "CVE-2011-3209", "CVE-2011-3363", "CVE-2011-3619", "CVE-2011-3637", "CVE-2011-4087", "CVE-2011-4326", "CVE-2011-4914");
      script_bugtraq_id(46567, 46616, 46793, 46866, 46935, 46980, 47056, 47296, 47308, 47321, 47343, 47381, 47768, 47796, 47852, 47853, 47926, 48101, 48333, 48347, 48383, 48441, 48472, 48538, 48641, 48677, 48697, 48802, 48804, 48907, 48929, 49108, 49140, 49141, 49408, 49411, 50314);
      script_xref(name:"USN", value:"1256-1");
    
      script_name(english:"Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1256-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the /proc filesystem did not correctly handle
    permission changes when programs executed. A local attacker could hold
    open files to examine details about programs running with higher
    privileges, potentially increasing the chances of exploiting
    additional vulnerabilities. (CVE-2011-1020)
    
    Vasiliy Kulikov discovered that the Bluetooth stack did not correctly
    clear memory. A local attacker could exploit this to read kernel stack
    memory, leading to a loss of privacy. (CVE-2011-1078)
    
    Vasiliy Kulikov discovered that the Bluetooth stack did not correctly
    check that device name strings were NULL terminated. A local attacker
    could exploit this to crash the system, leading to a denial of
    service, or leak contents of kernel stack memory, leading to a loss of
    privacy. (CVE-2011-1079)
    
    Vasiliy Kulikov discovered that bridge network filtering did not check
    that name fields were NULL terminated. A local attacker could exploit
    this to leak contents of kernel stack memory, leading to a loss of
    privacy. (CVE-2011-1080)
    
    Johan Hovold discovered that the DCCP network stack did not correctly
    handle certain packet combinations. A remote attacker could send
    specially crafted network traffic that would crash the system, leading
    to a denial of service. (CVE-2011-1093)
    
    Peter Huewe discovered that the TPM device did not correctly
    initialize memory. A local attacker could exploit this to read kernel
    heap memory contents, leading to a loss of privacy. (CVE-2011-1160)
    
    Dan Rosenberg discovered that the IRDA subsystem did not correctly
    check certain field sizes. If a system was using IRDA, a remote
    attacker could send specially crafted traffic to crash the system or
    gain root privileges. (CVE-2011-1180)
    
    Ryan Sweat discovered that the GRO code did not correctly validate
    memory. In some configurations on systems using VLANs, a remote
    attacker could send specially crafted traffic to crash the system,
    leading to a denial of service. (CVE-2011-1478)
    
    It was discovered that the security fix for CVE-2010-4250 introduced a
    regression. A remote attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2011-1479)
    
    Dan Rosenberg discovered that the X.25 Rose network stack did not
    correctly handle certain fields. If a system was running with Rose
    enabled, a remote attacker could send specially crafted traffic to
    gain root privileges. (CVE-2011-1493)
    
    It was discovered that the Stream Control Transmission Protocol (SCTP)
    implementation incorrectly calculated lengths. If the
    net.sctp.addip_enable variable was turned on, a remote attacker could
    send specially crafted traffic to crash the system. (CVE-2011-1573)
    
    Ryan Sweat discovered that the kernel incorrectly handled certain VLAN
    packets. On some systems, a remote attacker could send specially
    crafted traffic to crash the system, leading to a denial of service.
    (CVE-2011-1576)
    
    Timo Warns discovered that the GUID partition parsing routines did not
    correctly validate certain structures. A local attacker with physical
    access could plug in a specially crafted block device to crash the
    system, leading to a denial of service. (CVE-2011-1577)
    
    Phil Oester discovered that the network bonding system did not
    correctly handle large queues. On some systems, a remote attacker
    could send specially crafted traffic to crash the system, leading to a
    denial of service. (CVE-2011-1581)
    
    It was discovered that CIFS incorrectly handled authentication. When a
    user had a CIFS share mounted that required authentication, a local
    user could mount the same share without knowing the correct password.
    (CVE-2011-1585)
    
    It was discovered that the GRE protocol incorrectly handled netns
    initialization. A remote attacker could send a packet while the ip_gre
    module was loading, and crash the system, leading to a denial of
    service. (CVE-2011-1767)
    
    It was discovered that the IP/IP protocol incorrectly handled netns
    initialization. A remote attacker could send a packet while the ipip
    module was loading, and crash the system, leading to a denial of
    service. (CVE-2011-1768)
    
    Ben Greear discovered that CIFS did not correctly handle direct I/O. A
    local attacker with access to a CIFS partition could exploit this to
    crash the system, leading to a denial of service. (CVE-2011-1771)
    
    Timo Warns discovered that the EFI GUID partition table was not
    correctly parsed. A physically local attacker that could insert
    mountable devices could exploit this to crash the system or possibly
    gain root privileges. (CVE-2011-1776)
    
    Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not
    correctly check the origin of mount points. A local attacker could
    exploit this to trick the system into unmounting arbitrary mount
    points, leading to a denial of service. (CVE-2011-1833)
    
    Ben Hutchings reported a flaw in the kernel's handling of corrupt LDM
    partitions. A local user could exploit this to cause a denial of
    service or escalate privileges. (CVE-2011-2182)
    
    Dan Rosenberg discovered that the IPv4 diagnostic routines did not
    correctly validate certain requests. A local attacker could exploit
    this to consume CPU resources, leading to a denial of service.
    (CVE-2011-2213)
    
    It was discovered that an mmap() call with the MAP_PRIVATE flag on
    '/dev/zero' was incorrectly handled. A local attacker could exploit
    this to crash the system, leading to a denial of service.
    (CVE-2011-2479)
    
    Vasiliy Kulikov discovered that taskstats listeners were not correctly
    handled. A local attacker could exploit this to exhaust memory and CPU
    resources, leading to a denial of service. (CVE-2011-2484)
    
    It was discovered that Bluetooth l2cap and rfcomm did not correctly
    initialize structures. A local attacker could exploit this to read
    portions of the kernel stack, leading to a loss of privacy.
    (CVE-2011-2492)
    
    Sami Liedes discovered that ext4 did not correctly handle missing root
    inodes. A local attacker could trigger the mount of a specially
    crafted filesystem to cause the system to crash, leading to a denial
    of service. (CVE-2011-2493)
    
    Robert Swiecki discovered that mapping extensions were incorrectly
    handled. A local attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2011-2496)
    
    Dan Rosenberg discovered that the Bluetooth stack incorrectly handled
    certain L2CAP requests. If a system was using Bluetooth, a remote
    attacker could send specially crafted traffic to crash the system or
    gain root privileges. (CVE-2011-2497)
    
    Ben Pfaff discovered that Classless Queuing Disciplines (qdiscs) were
    being incorrectly handled. A local attacker could exploit this to
    crash the system, leading to a denial of service. (CVE-2011-2525)
    
    It was discovered that GFS2 did not correctly check block sizes. A
    local attacker could exploit this to crash the system, leading to a
    denial of service. (CVE-2011-2689)
    
    It was discovered that the EXT4 filesystem contained multiple
    off-by-one flaws. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2011-2695)
    
    Fernando Gont discovered that the IPv6 stack used predictable fragment
    identification numbers. A remote attacker could exploit this to
    exhaust network resources, leading to a denial of service.
    (CVE-2011-2699)
    
    Mauro Carvalho Chehab discovered that the si4713 radio driver did not
    correctly check the length of memory copies. If this hardware was
    available, a local attacker could exploit this to crash the system or
    gain root privileges. (CVE-2011-2700)
    
    Herbert Xu discovered that certain fields were incorrectly handled
    when Generic Receive Offload (CVE-2011-2723)
    
    The performance counter subsystem did not correctly handle certain
    counters. A local attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2011-2918)
    
    Time Warns discovered that long symlinks were incorrectly handled on
    Be filesystems. A local attacker could exploit this with a malformed
    Be filesystem and crash the system, leading to a denial of service.
    (CVE-2011-2928)
    
    Qianfeng Zhang discovered that the bridge networking interface
    incorrectly handled certain network packets. A remote attacker could
    exploit this to crash the system, leading to a denial of service.
    (CVE-2011-2942)
    
    Dan Kaminsky discovered that the kernel incorrectly handled random
    sequence number generation. An attacker could use this flaw to
    possibly predict sequence numbers and inject packets. (CVE-2011-3188)
    
    Darren Lavender discovered that the CIFS client incorrectly handled
    certain large values. A remote attacker with a malicious server could
    exploit this to crash the system or possibly execute arbitrary code as
    the root user. (CVE-2011-3191)
    
    Yasuaki Ishimatsu discovered a flaw in the kernel's clock
    implementation. A local unprivileged attacker could exploit this
    causing a denial of service. (CVE-2011-3209)
    
    Yogesh Sharma discovered that CIFS did not correctly handle UNCs that
    had no prefixpaths. A local attacker with access to a CIFS partition
    could exploit this to crash the system, leading to a denial of
    service. (CVE-2011-3363)
    
    A flaw was discovered in the Linux kernel's AppArmor security
    interface when invalid information was written to it. An unprivileged
    local user could use this to cause a denial of service on the system.
    (CVE-2011-3619)
    
    A flaw was found in the Linux kernel's /proc/*/*map* interface. A
    local, unprivileged user could exploit this flaw to cause a denial of
    service. (CVE-2011-3637)
    
    Scot Doyle discovered that the bridge networking interface incorrectly
    handled certain network packets. A remote attacker could exploit this
    to crash the system, leading to a denial of service. (CVE-2011-4087)
    
    A bug was found in the way headroom check was performed in
    udp6_ufo_fragment() function. A remote attacker could use this flaw to
    crash the system. (CVE-2011-4326)
    
    Ben Hutchings discovered several flaws in the Linux Rose (X.25 PLP)
    layer. A local user or a remote user on an X.25 network could exploit
    these flaws to execute arbitrary code as root. (CVE-2011-4914).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1256-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(10\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2010-4250", "CVE-2011-1020", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1180", "CVE-2011-1478", "CVE-2011-1479", "CVE-2011-1493", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1577", "CVE-2011-1581", "CVE-2011-1585", "CVE-2011-1767", "CVE-2011-1768", "CVE-2011-1771", "CVE-2011-1776", "CVE-2011-1833", "CVE-2011-2182", "CVE-2011-2183", "CVE-2011-2213", "CVE-2011-2479", "CVE-2011-2484", "CVE-2011-2491", "CVE-2011-2492", "CVE-2011-2493", "CVE-2011-2494", "CVE-2011-2495", "CVE-2011-2496", "CVE-2011-2497", "CVE-2011-2517", "CVE-2011-2525", "CVE-2011-2689", "CVE-2011-2695", "CVE-2011-2699", "CVE-2011-2700", "CVE-2011-2723", "CVE-2011-2905", "CVE-2011-2909", "CVE-2011-2918", "CVE-2011-2928", "CVE-2011-2942", "CVE-2011-3188", "CVE-2011-3191", "CVE-2011-3209", "CVE-2011-3363", "CVE-2011-3619", "CVE-2011-3637", "CVE-2011-4087", "CVE-2011-4326", "CVE-2011-4914");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-1256-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.38-12-generic", pkgver:"2.6.38-12.51~lucid1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.38-12-generic-pae", pkgver:"2.6.38-12.51~lucid1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.38-12-server", pkgver:"2.6.38-12.51~lucid1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"linux-image-2.6.38-12-virtual", pkgver:"2.6.38-12.51~lucid1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-2.6-generic / linux-image-2.6-generic-pae / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-0928.NASL
    descriptionUpdated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * It was found that the receive hook in the ipip_init() function in the ipip module, and in the ipgre_init() function in the ip_gre module, could be called before network namespaces setup is complete. If packets were received at the time the ipip or ip_gre module was still being loaded into the kernel, it could cause a denial of service. (CVE-2011-1767, CVE-2011-1768, Moderate) * It was found that an mmap() call with the MAP_PRIVATE flag on
    last seen2020-06-01
    modified2020-06-02
    plugin id55584
    published2011-07-13
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55584
    titleRHEL 6 : kernel (RHSA-2011:0928)

Redhat

advisories
bugzilla
id714761
titleCVE-2011-2479 kernel: thp: madvise on top of /dev/zero private mapping can lead to panic
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • commentkernel earlier than 0:2.6.32-131.6.1.el6 is currently running
        ovaloval:com.redhat.rhsa:tst:20110928023
      • commentkernel earlier than 0:2.6.32-131.6.1.el6 is set to boot up on next boot
        ovaloval:com.redhat.rhsa:tst:20110928024
    • OR
      • AND
        • commentkernel-doc is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928001
        • commentkernel-doc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842002
      • AND
        • commentkernel-firmware is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928003
        • commentkernel-firmware is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842004
      • AND
        • commentkernel is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928005
        • commentkernel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842012
      • AND
        • commentkernel-debug-devel is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928007
        • commentkernel-debug-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842008
      • AND
        • commentperf is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928009
        • commentperf is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842006
      • AND
        • commentkernel-devel is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928011
        • commentkernel-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842016
      • AND
        • commentkernel-headers is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928013
        • commentkernel-headers is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842010
      • AND
        • commentkernel-debug is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928015
        • commentkernel-debug is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842014
      • AND
        • commentkernel-kdump-devel is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928017
        • commentkernel-kdump-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842022
      • AND
        • commentkernel-kdump is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928019
        • commentkernel-kdump is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842020
      • AND
        • commentkernel-bootwrapper is earlier than 0:2.6.32-131.6.1.el6
          ovaloval:com.redhat.rhsa:tst:20110928021
        • commentkernel-bootwrapper is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100842018
rhsa
idRHSA-2011:0928
released2011-07-12
severityModerate
titleRHSA-2011:0928: kernel security and bug fix update (Moderate)
rpms
  • kernel-0:2.6.32-131.6.1.el6
  • kernel-bootwrapper-0:2.6.32-131.6.1.el6
  • kernel-debug-0:2.6.32-131.6.1.el6
  • kernel-debug-debuginfo-0:2.6.32-131.6.1.el6
  • kernel-debug-devel-0:2.6.32-131.6.1.el6
  • kernel-debuginfo-0:2.6.32-131.6.1.el6
  • kernel-debuginfo-common-i686-0:2.6.32-131.6.1.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-131.6.1.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-131.6.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-131.6.1.el6
  • kernel-devel-0:2.6.32-131.6.1.el6
  • kernel-doc-0:2.6.32-131.6.1.el6
  • kernel-firmware-0:2.6.32-131.6.1.el6
  • kernel-headers-0:2.6.32-131.6.1.el6
  • kernel-kdump-0:2.6.32-131.6.1.el6
  • kernel-kdump-debuginfo-0:2.6.32-131.6.1.el6
  • kernel-kdump-devel-0:2.6.32-131.6.1.el6
  • perf-0:2.6.32-131.6.1.el6
  • perf-debuginfo-0:2.6.32-131.6.1.el6