Vulnerabilities > CVE-2011-3589 - Cryptographic Issues vulnerability in Redhat Kexec-Tools
Attack vector
ADJACENT_NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
NONE Availability impact
NONE Summary
The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, uses world-readable permissions for vmcore files, which allows local users to obtain sensitive information by inspecting the file content, as demonstrated by a search for a root SSH key.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20111206_KEXEC_TOOLS_ON_SL6_X.NASL description Kexec allows for booting a Linux kernel from the context of an already running kernel. Kdump used the SSH (Secure Shell) last seen 2020-06-01 modified 2020-06-02 plugin id 61189 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61189 title Scientific Linux Security Update : kexec-tools on SL6.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(61189); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2011-3588"); script_name(english:"Scientific Linux Security Update : kexec-tools on SL6.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Kexec allows for booting a Linux kernel from the context of an already running kernel. Kdump used the SSH (Secure Shell) 'StrictHostKeyChecking=no' option when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in the vmcore dumps. (CVE-2011-3588) mkdumprd created initrd files with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target. (CVE-2011-3589) mkdumprd included unneeded sensitive files (such as all files from the '/root/.ssh/' directory and the host's private SSH keys) in the resulting initrd. This could lead to an information leak when initrd files were previously created with world-readable permissions. Note: With this update, only the SSH client configuration, known hosts files, and the SSH key configured via the newly introduced sshkey option in '/etc/kdump.conf' are included in the initrd. The default is the key generated when running the 'service kdump propagate' command, '/root/.ssh/kdump_id_rsa'. (CVE-2011-3590) This update also fixes several bugs and adds various enhancements. All kexec-tools users should upgrade to this updated package, which contains backported patches to resolve these issues and add these enhancements." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1112&L=scientific-linux-errata&T=0&P=827 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?91093a68" ); script_set_attribute( attribute:"solution", value: "Update the affected kexec-tools and / or kexec-tools-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"kexec-tools-2.0.0-209.el6")) flag++; if (rpm_check(release:"SL6", reference:"kexec-tools-debuginfo-2.0.0-209.el6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1532.NASL description An updated kexec-tools package that fixes three security issues, various bugs, and adds enhancements is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kexec allows for booting a Linux kernel from the context of an already running kernel. Kdump used the SSH (Secure Shell) last seen 2020-06-01 modified 2020-06-02 plugin id 57013 published 2011-12-06 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57013 title RHEL 6 : kexec-tools (RHSA-2011:1532) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2011:1532. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(57013); script_version ("1.20"); script_cvs_date("Date: 2019/10/25 13:36:16"); script_cve_id("CVE-2011-3588", "CVE-2011-3589", "CVE-2011-3590"); script_bugtraq_id(50415, 50416, 50420); script_xref(name:"RHSA", value:"2011:1532"); script_name(english:"RHEL 6 : kexec-tools (RHSA-2011:1532)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An updated kexec-tools package that fixes three security issues, various bugs, and adds enhancements is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kexec allows for booting a Linux kernel from the context of an already running kernel. Kdump used the SSH (Secure Shell) 'StrictHostKeyChecking=no' option when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in the vmcore dumps. (CVE-2011-3588) mkdumprd created initrd files with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target. (CVE-2011-3589) mkdumprd included unneeded sensitive files (such as all files from the '/root/.ssh/' directory and the host's private SSH keys) in the resulting initrd. This could lead to an information leak when initrd files were previously created with world-readable permissions. Note: With this update, only the SSH client configuration, known hosts files, and the SSH key configured via the newly introduced sshkey option in '/etc/kdump.conf' are included in the initrd. The default is the key generated when running the 'service kdump propagate' command, '/root/.ssh/kdump_id_rsa'. (CVE-2011-3590) Red Hat would like to thank Kevan Carstensen for reporting these issues. This update also fixes several bugs and adds various enhancements. Space precludes documenting all of these changes in this advisory. Documentation for these bug fixes and enhancements will be available shortly from the Technical Notes document, linked to in the References section. All kexec-tools users should upgrade to this updated package, which contains backported patches to resolve these issues and add these enhancements." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-3588" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-3589" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-3590" ); # https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?056c0c27" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2011:1532" ); script_set_attribute( attribute:"solution", value: "Update the affected kexec-tools and / or kexec-tools-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kexec-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kexec-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/15"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2011:1532"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"kexec-tools-2.0.0-209.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"kexec-tools-2.0.0-209.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kexec-tools-2.0.0-209.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"kexec-tools-debuginfo-2.0.0-209.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"kexec-tools-debuginfo-2.0.0-209.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kexec-tools-debuginfo-2.0.0-209.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kexec-tools / kexec-tools-debuginfo"); } }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-0152.NASL description From Red Hat Security Advisory 2012:0152 : An updated kexec-tools package that resolves three security issues, fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel last seen 2020-06-01 modified 2020-06-02 plugin id 68470 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68470 title Oracle Linux 5 : kexec-tools (ELSA-2012-0152) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0152.NASL description An updated kexec-tools package that resolves three security issues, fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel last seen 2020-04-16 modified 2012-02-21 plugin id 58053 published 2012-02-21 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58053 title RHEL 5 : kexec-tools (RHSA-2012:0152) NASL family Scientific Linux Local Security Checks NASL id SL_20120221_KEXEC_TOOLS_ON_SL5_X.NASL description The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel last seen 2020-03-18 modified 2012-08-01 plugin id 61265 published 2012-08-01 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61265 title Scientific Linux Security Update : kexec-tools on SL5.x i386/x86_64 (20120221)
Redhat
| advisories |
| ||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 50415 CVE ID: CVE-2011-3589 Linux是自由电脑操作系统内核。 Linux系统的mkdumprd工具在实现上存在本地信息泄露漏洞,本地攻击者可利用此漏洞获取敏感信息 Linux kernel 3.x Linux kernel 2.6.x RedHat Enterprise Linux Workstation 6 RedHat Enterprise Linux Server 6 RedHat Enterprise Linux HPC Node 6 RedHat Enterprise Linux Desktop 6 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.kernel.org/ |
| id | SSV:26026 |
| last seen | 2017-11-19 |
| modified | 2011-12-08 |
| published | 2011-12-08 |
| reporter | Root |
| title | Linux系统kexec-tools mkdumprd工具信息泄露漏洞 |