Vulnerabilities > CVE-2013-2148 - Resource Management Errors vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2013-10695.NASL description Update to the latest upstream stable release, Linux v3.9.5 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67285 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67285 title Fedora 18 : kernel-3.9.5-201.fc18 (2013-10695) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2745.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-1059 Chanam Park reported an issue in the Ceph distributed storage system. Remote users can cause a denial of service by sending a specially crafted auth_reply message. - CVE-2013-2148 Dan Carpenter reported an information leak in the filesystem wide access notification subsystem (fanotify). Local users could gain access to sensitive kernel memory. - CVE-2013-2164 Jonathan Salwan reported an information leak in the CD-ROM driver. A local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive memory. - CVE-2013-2232 Dave Jones and Hannes Frederic Sowa resolved an issue in the IPv6 subsystem. Local users could cause a denial of service by using an AF_INET6 socket to connect to an IPv4 destination. - CVE-2013-2234 Mathias Krause reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2237 Nicolas Dichtel reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2851 Kees Cook reported an issue in the block subsystem. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-2852 Kees Cook reported an issue in the b43 network driver for certain Broadcom wireless devices. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-4162 Hannes Frederic Sowa reported an issue in the IPv6 networking subsystem. Local users can cause a denial of service (system crash). - CVE-2013-4163 Dave Jones reported an issue in the IPv6 networking subsystem. Local users can cause a denial of service (system crash). This update also includes a fix for a regression in the Xen subsystem. last seen 2020-03-17 modified 2013-08-30 plugin id 69505 published 2013-08-30 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69505 title Debian DSA-2745-1 : linux - privilege escalation/denial of service/information leak NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-194.NASL description Multiple vulnerabilities has been found and corrected in the Linux kernel : net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation. (CVE-2013-1059) The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (CVE-2013-2147) The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. (CVE-2013-2148) Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (CVE-2013-2851) The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (CVE-2013-2164) The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (CVE-2013-2237) The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (CVE-2013-2234) The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (CVE-2013-2232) The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator. (CVE-2012-5517) Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (CVE-2013-2852) The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call. (CVE-2013-3301) The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. (CVE-2013-0231) The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774) Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet. (CVE-2013-2850) The updated packages provides a solution for these security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67254 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67254 title Mandriva Linux Security Advisory : kernel (MDVSA-2013:194) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1264.NASL description Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.3. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A heap-based buffer overflow flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 76665 published 2014-07-22 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76665 title RHEL 6 : MRG (RHSA-2013:1264) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1931-1.NASL description Chanam Park reported a NULL pointer flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 69416 published 2013-08-21 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69416 title Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1931-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-3002.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 72472 published 2014-02-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72472 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3002) NASL family Fedora Local Security Checks NASL id FEDORA_2013-9123.NASL description Rebase to 3.9.8 now that 3.8 is no longer maintained. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67351 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67351 title Fedora 17 : kernel-3.9.8-100.fc17 (2013-9123) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0057.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 99163 published 2017-04-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99163 title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-130828.NASL description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to version 3.0.93 and to fix various bugs and security issues. The following features have been added : - NFS: Now supports a last seen 2020-06-05 modified 2013-09-21 plugin id 70040 published 2013-09-21 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70040 title SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 8269 / 8270 / 8283) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1929-1.NASL description An information leak was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 69415 published 2013-08-21 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69415 title Ubuntu 12.04 LTS : linux vulnerability (USN-1929-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-813.NASL description The Linux kernel was updated to 3.4.63, fixing various bugs and security issues. - Linux 3.4.59 (CVE-2013-2237 bnc#828119). - Linux 3.4.57 (CVE-2013-2148 bnc#823517). - Linux 3.4.55 (CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163 bnc#827749 bnc#827750 bnc#831055 bnc#831058). - Drivers: hv: util: Fix a bug in util version negotiation code (bnc#838346). - vmxnet3: prevent div-by-zero panic when ring resizing uninitialized dev (bnc#833321). - bnx2x: protect different statistics flows (bnc#814336). - bnx2x: Avoid sending multiple statistics queries (bnc#814336). - Drivers: hv: util: Fix a bug in version negotiation code for util services (bnc#828714). - Update Xen patches to 3.4.53. - netfront: fix kABI after last seen 2020-06-05 modified 2014-06-13 plugin id 75184 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75184 title openSUSE Security Update : kernel (openSUSE-SU-2013:1619-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1932-1.NASL description Chanam Park reported a NULL pointer flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 69417 published 2013-08-21 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69417 title Ubuntu 12.10 : linux vulnerabilities (USN-1932-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-130827.NASL description The SUSE Linux Enterprise 11 Service Pack 2 kernel has been updated to version 3.0.93 and includes various bug and security fixes. The following security bugs have been fixed : - The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. (CVE-2013-2148) - The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (CVE-2013-2237) - The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (CVE-2013-2232) - The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (CVE-2013-2234) - The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel made an incorrect function call for pending data, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4162) - net/ceph/auth_none.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation. (CVE-2013-1059) - The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (CVE-2013-2164) - Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (CVE-2013-2851) - The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel did not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163) - Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929) - The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel did not validate block numbers, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map. (CVE-2013-1819) - The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774) Also the following bugs have been fixed : BTRFS : - btrfs: merge contiguous regions when loading free space cache - btrfs: fix how we deal with the orphan block rsv - btrfs: fix wrong check during log recovery - btrfs: change how we indicate we are adding csums - btrfs: flush delayed inodes if we are short on space. (bnc#801427) - btrfs: rework shrink_delalloc. (bnc#801427) - btrfs: fix our overcommit math. (bnc#801427) - btrfs: delay block group item insertion. (bnc#801427) - btrfs: remove bytes argument from do_chunk_alloc. (bnc#801427) - btrfs: run delayed refs first when out of space. (bnc#801427) - btrfs: do not commit instead of overcommitting. (bnc#801427) - btrfs: do not take inode delalloc mutex if we are a free space inode. (bnc#801427) - btrfs: fix chunk allocation error handling. (bnc#801427) - btrfs: remove extent mapping if we fail to add chunk. (bnc#801427) - btrfs: do not overcommit if we do not have enough space for global rsv. (bnc#801427) - btrfs: rework the overcommit logic to be based on the total size. (bnc#801427) - btrfs: steal from global reserve if we are cleaning up orphans. (bnc#801427) - btrfs: clear chunk_alloc flag on retryable failure. (bnc#801427) - btrfs: use reserved space for creating a snapshot. (bnc#801427) - btrfs: cleanup to make the function btrfs_delalloc_reserve_metadata more logic. (bnc#801427) - btrfs: fix space leak when we fail to reserve metadata space. (bnc#801427) - btrfs: fix space accounting for unlink and rename. (bnc#801427) - btrfs: allocate new chunks if the space is not enough for global rsv. (bnc#801427) - btrfs: various abort cleanups. (bnc#812526 / bnc#801427) - btrfs: simplify unlink reservations (bnc#801427). OTHER : - x86: Add workaround to NMI iret woes. (bnc#831949) - x86: Do not schedule while still in NMI context. (bnc#831949) - bnx2x: Avoid sending multiple statistics queries. (bnc#814336) - bnx2x: protect different statistics flows. (bnc#814336) - futex: Take hugepages into account when generating futex_key. - drivers/hv: util: Fix a bug in version negotiation code for util services. (bnc#828714) - printk: Add NMI ringbuffer. (bnc#831949) - printk: extract ringbuffer handling from vprintk. (bnc#831949) - printk: NMI safe printk. (bnc#831949) - printk: Make NMI ringbuffer size independent on log_buf_len. (bnc#831949) - printk: Do not call console_unlock from nmi context. (bnc#831949) - printk: Do not use printk_cpu from finish_printk. (bnc#831949) - mlx4_en: Adding 40gb speed report for ethtool. (bnc#831410) - reiserfs: Fixed double unlock in reiserfs_setattr failure path. - reiserfs: delay reiserfs lock until journal initialization. (bnc#815320) - reiserfs: do not lock journal_init(). (bnc#815320) - reiserfs: locking, handle nested locks properly. (bnc#815320) - reiserfs: locking, push write lock out of xattr code. (bnc#815320) - reiserfs: locking, release lock around quota operations. (bnc#815320) - NFS: support last seen 2020-06-05 modified 2013-09-21 plugin id 70039 published 2013-09-21 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70039 title SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 8263 / 8265 / 8273) NASL family Fedora Local Security Checks NASL id FEDORA_2013-10689.NASL description Update to latest upstream stable release, Linux v3.9.5. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67284 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67284 title Fedora 19 : kernel-3.9.5-301.fc19 (2013-10689) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1936-1.NASL description Chanam Park reported a NULL pointer flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 69419 published 2013-08-21 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69419 title Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-1936-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-1034.NASL description The Linux Kernel was updated to fix various security issues and bugs. - sctp: Use correct sideffect command in duplicate cookie handling (bnc#826102, CVE-2013-2206). - Drivers: hv: util: Fix a bug in util version negotiation code (bnc#838346). - vmxnet3: prevent div-by-zero panic when ring resizing uninitialized dev (bnc#833321). - md/raid1,5,10: Disable WRITE SAME until a recovery strategy is in place (bnc#813889). - netback: don last seen 2020-06-05 modified 2014-06-13 plugin id 74878 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74878 title openSUSE Security Update : kernel (openSUSE-SU-2013:1971-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1935-1.NASL description Chanam Park reported a NULL pointer flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 69418 published 2013-08-21 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69418 title Ubuntu 13.04 : linux vulnerabilities (USN-1935-1)
Redhat
| rpms |
|
References
- http://lkml.org/lkml/2013/6/3/128
- http://www.openwall.com/lists/oss-security/2013/06/05/26
- https://bugzilla.redhat.com/show_bug.cgi?id=971258
- http://www.ubuntu.com/usn/USN-1930-1
- http://www.ubuntu.com/usn/USN-1929-1
- http://lists.opensuse.org/opensuse-security-announce/2013-09/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2013-09/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00129.html