Vulnerabilities > CVE-2011-5321 - Unspecified vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The tty_open function in drivers/tty/tty_io.c in the Linux kernel before 3.1.1 mishandles a driver-lookup failure, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted access to a device file under the /dev/pts directory.
Vulnerable Configurations
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20150714_KERNEL_ON_SL6_X.NASL description * A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-03-18 modified 2015-07-16 plugin id 84790 published 2015-07-16 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84790 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20150714) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(84790); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id("CVE-2011-5321", "CVE-2015-1593", "CVE-2015-2830", "CVE-2015-2922", "CVE-2015-3636"); script_name(english:"Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20150714)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "* A NULL pointer dereference flaw was found in the way the Linux kernel's virtual console implementation handled reference counting when accessing pseudo-terminal device files (/dev/pts/*). A local, unprivileged attacker could use this flaw to crash the system. (CVE-2011-5321, Moderate) * It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate) * An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four. (CVE-2015-1593, Low) * A flaw was found in the way the Linux kernel's 32-bit emulation implementation handled forking or closing of a task with an 'int80' entry. A local user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-2830, Low) * It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low) For information on the most significant of these changes, users are directed to the following article on the Red Hat Customer Portal : The system must be rebooted for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1507&L=scientific-linux-errata&F=&S=&P=7426 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?17313eca" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut-caps"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut-fips-aesni"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut-kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut-network"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:dracut-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-firmware"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/16"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"dracut-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"dracut-caps-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"dracut-fips-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"dracut-fips-aesni-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"dracut-generic-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"dracut-kernel-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"dracut-network-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"dracut-tools-004-356.el6_6.3")) flag++; if (rpm_check(release:"SL6", reference:"kernel-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-abi-whitelists-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-debug-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-debug-debuginfo-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-debug-devel-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-debuginfo-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", cpu:"i386", reference:"kernel-debuginfo-common-i686-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-devel-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-doc-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-firmware-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"kernel-headers-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"perf-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"perf-debuginfo-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"python-perf-2.6.32-504.30.3.el6")) flag++; if (rpm_check(release:"SL6", reference:"python-perf-debuginfo-2.6.32-504.30.3.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dracut / dracut-caps / dracut-fips / dracut-fips-aesni / etc"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1272.NASL description The remote Oracle Linux host is missing a security update for one or more kernel-related packages. last seen 2020-06-01 modified 2020-06-02 plugin id 85097 published 2015-07-30 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85097 title Oracle Linux 6 : kernel (ELSA-2015-1272) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Oracle Linux Security Advisory ELSA-2015-1272. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(85097); script_version("2.3"); script_cvs_date("Date: 2018/09/17 21:46:53"); script_cve_id( "CVE-2011-5321", "CVE-2012-6657", "CVE-2014-3184", "CVE-2014-3185", "CVE-2014-3215", "CVE-2014-3610", "CVE-2014-3611", "CVE-2014-3645", "CVE-2014-3646", "CVE-2014-3673", "CVE-2014-3687", "CVE-2014-3688", "CVE-2014-3690", "CVE-2014-3940", "CVE-2014-4652", "CVE-2014-4656", "CVE-2014-5471", "CVE-2014-5472", "CVE-2014-6410", "CVE-2014-7822", "CVE-2014-7825", "CVE-2014-7826", "CVE-2014-7841", "CVE-2014-8133", "CVE-2014-8159", "CVE-2014-8369", "CVE-2014-8709", "CVE-2014-8884", "CVE-2014-9322", "CVE-2014-9419", "CVE-2014-9420", "CVE-2014-9529", "CVE-2014-9584", "CVE-2014-9585", "CVE-2014-9683", "CVE-2015-0239", "CVE-2015-1593", "CVE-2015-1805", "CVE-2015-2830", "CVE-2015-2922", "CVE-2015-3331", "CVE-2015-3339", "CVE-2015-3636" ); script_name(english:"Oracle Linux 6 : kernel (ELSA-2015-1272)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote Oracle Linux host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Oracle Linux host is missing a security update for one or more kernel-related packages."); script_set_attribute(attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2015-July/005242.html"); script_set_attribute(attribute:"solution", value:"Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-firmware"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"kernel-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"kernel-abi-whitelists-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"kernel-debug-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"kernel-debug-devel-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"kernel-devel-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"kernel-doc-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"kernel-firmware-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"kernel-headers-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"perf-2.6.32-573.el6")) flag++; if (rpm_check(release:"EL6", reference:"python-perf-2.6.32-573.el6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1221.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 84758 published 2015-07-15 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84758 title RHEL 6 : kernel (RHSA-2015:1221) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-246.NASL description The linux-2.6 update issued as DLA-246-1 caused regressions. This update corrects the defective patches applied in that update causing these problems. For reference the original advisory text follows. This update fixes the CVEs described below. CVE-2011-5321 Jiri Slaby discovered that tty_driver_lookup_tty() may leak a reference to the tty driver. A local user could use this flaw to crash the system. CVE-2012-6689 Pablo Neira Ayuso discovered that non-root user-space processes can send forged Netlink notifications to other processes. A local user could use this flaw for denial of service or privilege escalation. CVE-2014-3184 Ben Hawkes discovered that various HID drivers may over-read the report descriptor buffer, possibly resulting in a crash if a HID with a crafted descriptor is plugged in. CVE-2014-8159 It was found that the Linux kernel last seen 2020-03-17 modified 2015-06-18 plugin id 84252 published 2015-06-18 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84252 title Debian DLA-246-2 : linux-2.6 regression update NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1221.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 84769 published 2015-07-16 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84769 title CentOS 6 : kernel (CESA-2015:1221) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL21632201.NASL description The tty_open function in drivers/tty/tty_io.c in the Linux kernel before 3.1.1 mishandles a driver-lookup failure, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted access to a device file under the /dev/pts directory. (CVE-2011-5321) Impact A local, unprivileged user may exploit this vulnerability and create a situation where the system stops responding. In the default configuration, only an administrator user has advanced shell access. If a non-administrator user is given advanced shell access in a non-default configuration, then the possibility of privilege escalation increases the exposure of this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 90455 published 2016-04-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90455 title F5 Networks BIG-IP : Linux kernel vulnerability (K21632201) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1221.NASL description From Red Hat Security Advisory 2015:1221 : Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 84757 published 2015-07-15 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84757 title Oracle Linux 6 : kernel (ELSA-2015-1221)
Redhat
advisories |
| ||||
rpms |
|
References
- https://github.com/torvalds/linux/commit/c290f8358acaeffd8e0c551ddcc24d1206143376
- http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1.1
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c290f8358acaeffd8e0c551ddcc24d1206143376
- http://www.openwall.com/lists/oss-security/2015/03/13/17
- https://bugzilla.redhat.com/show_bug.cgi?id=1201887
- http://rhn.redhat.com/errata/RHSA-2015-1221.html