Vulnerabilities > CVE-2012-2744 - Unspecified vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN linux
nessus
Summary
net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.
Vulnerable Configurations
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1114.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.0 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 64049 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64049 title RHEL 6 : kernel (RHSA-2012:1114) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2012:1114. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(64049); script_version("1.18"); script_cvs_date("Date: 2019/10/24 15:35:35"); script_cve_id("CVE-2012-2744"); script_bugtraq_id(54367); script_xref(name:"RHSA", value:"2012:1114"); script_name(english:"RHEL 6 : kernel (RHSA-2012:1114)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.0 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel's netfilter IPv6 connection tracking implementation. A remote attacker could use this flaw to send specially crafted packets to a target system that is using IPv6 and also has the nf_conntrack_ipv6 kernel module loaded, causing it to crash. (CVE-2012-2744, Important) Red Hat would like to thank an anonymous contributor working with the Beyond Security SecuriTeam Secure Disclosure program for reporting this issue. Users should upgrade to these updated packages, which contain a backported patch to resolve this issue. The system must be rebooted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-2744" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2012:1114" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-firmware"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2012/07/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6\.0([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.0", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2012-2744"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2012:1114"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2012:1114"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-debug-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-debug-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-debug-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-debug-debuginfo-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-debug-debuginfo-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-debug-debuginfo-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-debug-devel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-debug-devel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-debug-devel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-debuginfo-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-debuginfo-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-debuginfo-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-debuginfo-common-i686-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-devel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-devel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-devel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", reference:"kernel-doc-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", reference:"kernel-firmware-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"i686", reference:"kernel-headers-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-headers-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"x86_64", reference:"kernel-headers-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-kdump-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-kdump-debuginfo-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", cpu:"s390x", reference:"kernel-kdump-devel-2.6.32-71.40.1.el6")) flag++; if (rpm_check(release:"RHEL6", sp:"0", reference:"perf-2.6.32-71.40.1.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc"); } }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1064.NASL description Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 59947 published 2012-07-11 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59947 title RHEL 6 : kernel (RHSA-2012:1064) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1635.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.(CVE-2018-20836)The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.(CVE-2019-11190)The Siemens R3964 line discipline driver in drivers/tty_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.(CVE-2019-11486)The Linux kernel before 5.1-rc5 allows page-i1/4z_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.(CVE-2019-11487)The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A n issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.(CVE-2019-11810)In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.(CVE-2018-7191)net/ipv6etfilterf_conntrac k_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.(CVE-2012-2744)Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.(CVE-2012-3400)The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.(CVE-2013-2164)The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.(CVE-2013-6282)The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.(CVE-2013-2206)A elevation of privilege vulnerability in the Broadcom wi-fi driver. Product: Android. Versions: Android kernel. Android ID: A-37351060. References: B-V2017060101.(CVE-2017-0786)An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)Not e1: kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions in EulerOS Virtualization for ARM 64 3.0.2.0 return incorrect time information when executing the uname -a command.Note2: The kernel version number naming format has been changed after 4.19.36-1.2.184.aarch64, the new version format is 4.19.36-vhulk1907.1.0.hxxx.aarch64, which may lead to false positives of this security advisory. Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-13 modified 2019-05-30 plugin id 125587 published 2019-05-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125587 title EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-1064.NASL description From Red Hat Security Advisory 2012:1064 : Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 68575 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68575 title Oracle Linux 6 : kernel (ELSA-2012-1064) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1148.NASL description Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.1 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 64051 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64051 title RHEL 6 : kernel (RHSA-2012:1148) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1129.NASL description Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.2 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 64050 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64050 title RHEL 6 : kernel (RHSA-2012:1129) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-8325.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974) last seen 2020-06-05 modified 2012-10-24 plugin id 62676 published 2012-10-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62676 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8325) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-8324.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974) last seen 2020-06-05 modified 2012-10-24 plugin id 62675 published 2012-10-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62675 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8324) NASL family SuSE Local Security Checks NASL id SUSE_SU-2012-1391-1.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). CVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. CVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. CVE-2012-2663: A small denial of service leak in dropping syn+fin messages was fixed. The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code (bnc#767766). - knfsd: Unexport cache_fresh and fix a small race (bnc#767766). - knfsd: nfsd: do not drop silently on upcall deferral (bnc#767766). - knfsd: svcrpc: remove another silent drop from deferral code (bnc#767766). - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked (bnc#767766). - sunrpc/cache: recheck cache validity after cache_defer_req (bnc#767766). - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req (bnc#767766). - sunrpc/cache: avoid variable over-loading in cache_defer_req (bnc#767766). - sunrpc/cache: allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Another fix for race problem with sunrpc cache deferal (bnc#767766). - knfsd: nfsd: make all exp_finding functions return -errnos on err (bnc#767766). - Fix kabi breakage in previous nfsd patch series (bnc#767766). - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout (bnc#767766). - nfs: Fix a potential file corruption issue when writing (bnc#773272). - nfs: Allow sync writes to be multiple pages (bnc#763526). - nfs: fix reference counting for NFSv4 callback thread (bnc#767504). - nfs: flush signals before taking down callback thread (bnc#767504). - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return (bnc#783058). drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc (bnc#783058). block: fail SCSI passthrough ioctls on partition devices (bnc#738400). dm: do not forward ioctls from logical volumes to the underlying device (bnc#738400). vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). be2net: Fix EEH error reset before a flash dump completes (bnc#755546). - mptfusion: fix msgContext in mptctl_hp_hostinfo (bnc#767939). - PCI: Fix bus resource assignment on 32 bits with 64b resources. (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) x86: powernow-k8: Fix indexing issue (bnc#758985). net: Fix race condition about network device name allocation (bnc#747576). XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time (bnc#738528). - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53 (bnc#760974). - xen/gntdev: fix multi-page slot allocation (bnc#760974). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83563 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83563 title SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2012:1391-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2012-1064.NASL description Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 59949 published 2012-07-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59949 title CentOS 6 : kernel (CESA-2012:1064) NASL family Scientific Linux Local Security Checks NASL id SL_20120710_KERNEL_ON_SL6_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel last seen 2020-03-18 modified 2012-08-01 plugin id 61361 published 2012-08-01 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61361 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20120710) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1507-1.NASL description A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 59985 published 2012-07-17 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59985 title Ubuntu 8.04 LTS : linux vulnerabilities (USN-1507-1)
Redhat
advisories |
| ||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | Bugtraq ID:54367 CVE ID: CVE-2012-2744 Linux是一款开源的操作系统。 Linux内核netfilter IPv6连接跟踪实现中的nf_ct_frag6_reasm()函数存在空指针引用缺陷,远程攻击者利用利用此缺陷向使用Ipv6的,并加载了nf_conntrack_ipv6内核模块的目标系统发送特制报文,可导致系统崩溃。 0 Linux kernel 2.6.x 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: https://rhn.redhat.com/errata/RHSA-2012-1064.html |
id | SSV:60272 |
last seen | 2017-11-19 |
modified | 2012-07-11 |
published | 2012-07-11 |
reporter | Root |
title | Linux Kernel IPv6 'nf_ct_frag6_reasm()'远程拒绝服务漏洞 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=833402
- http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.34
- https://github.com/torvalds/linux/commit/9e2dcf72023d1447f09c47d77c99b0c49659e5ce
- http://rhn.redhat.com/errata/RHSA-2012-1148.html
- http://rhn.redhat.com/errata/RHSA-2012-1064.html
- http://secunia.com/advisories/49928
- http://www.securityfocus.com/bid/54367
- http://www.securitytracker.com/id?1027235
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=9e2dcf72023d1447f09c47d77c99b0c49659e5ce