Vulnerabilities > CVE-2014-0069 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.

Vulnerable Configurations

Part Description Count
OS
Linux
5186
OS
Suse
4
OS
Redhat
6

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-124.NASL
    descriptionMultiple vulnerabilities has been found and corrected in the Linux kernel : kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number (CVE-2014-3917). The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification (CVE-2014-3153). Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions (CVE-2014-2672). The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced (CVE-2014-3144). The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced (CVE-2014-3145). Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter (CVE-2014-2851). The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the LECHO !OPOST case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings (CVE-2014-0196). The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device (CVE-2014-1738). The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device (CVE-2014-1737). The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports (CVE-2014-2678). drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions (CVE-2014-0077). The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets (CVE-2014-2309). Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device (CVE-2013-2897). net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function (CVE-2014-2523). Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c (CVE-2014-2706). The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk (CVE-2014-0101). The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer (CVE-2014-0069). arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction (CVE-2014-2039). Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function (CVE-2012-2137). The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context (CVE-2014-1874). The updated packages provides a solution for these security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id74513
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/74513
    titleMandriva Linux Security Advisory : kernel (MDVSA-2014:124)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2014:124. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74513);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:56");
    
      script_cve_id("CVE-2012-2137", "CVE-2013-2897", "CVE-2014-0069", "CVE-2014-0077", "CVE-2014-0101", "CVE-2014-0196", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-1874", "CVE-2014-2039", "CVE-2014-2309", "CVE-2014-2523", "CVE-2014-2672", "CVE-2014-2678", "CVE-2014-2706", "CVE-2014-2851", "CVE-2014-3144", "CVE-2014-3145", "CVE-2014-3153", "CVE-2014-3917");
      script_bugtraq_id(54063, 62044, 65459, 65588, 65700, 65943, 66095, 66279, 66492, 66543, 66591, 66678, 66779, 67282, 67300, 67302, 67309, 67321, 67906);
      script_xref(name:"MDVSA", value:"2014:124");
    
      script_name(english:"Mandriva Linux Security Advisory : kernel (MDVSA-2014:124)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities has been found and corrected in the Linux
    kernel :
    
    kernel/auditsc.c in the Linux kernel through 3.14.5, when
    CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows
    local users to obtain potentially sensitive single-bit values from
    kernel memory or cause a denial of service (OOPS) via a large value of
    a syscall number (CVE-2014-3917).
    
    The futex_requeue function in kernel/futex.c in the Linux kernel
    through 3.14.5 does not ensure that calls have two different futex
    addresses, which allows local users to gain privileges via a crafted
    FUTEX_REQUEUE command that facilitates unsafe waiter modification
    (CVE-2014-3153).
    
    Race condition in the ath_tx_aggr_sleep function in
    drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before
    3.13.7 allows remote attackers to cause a denial of service (system
    crash) via a large amount of network traffic that triggers certain
    list deletions (CVE-2014-2672).
    
    The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension
    implementations in the sk_run_filter function in net/core/filter.c in
    the Linux kernel through 3.14.3 do not check whether a certain length
    value is sufficiently large, which allows local users to cause a
    denial of service (integer underflow and system crash) via crafted BPF
    instructions. NOTE: the affected code was moved to the
    __skb_get_nlattr and __skb_get_nlattr_nest functions before the
    vulnerability was announced (CVE-2014-3144).
    
    The BPF_S_ANC_NLATTR_NEST extension implementation in the
    sk_run_filter function in net/core/filter.c in the Linux kernel
    through 3.14.3 uses the reverse order in a certain subtraction, which
    allows local users to cause a denial of service (over-read and system
    crash) via crafted BPF instructions. NOTE: the affected code was moved
    to the __skb_get_nlattr_nest function before the vulnerability was
    announced (CVE-2014-3145).
    
    Integer overflow in the ping_init_sock function in net/ipv4/ping.c in
    the Linux kernel through 3.14.1 allows local users to cause a denial
    of service (use-after-free and system crash) or possibly gain
    privileges via a crafted application that leverages an improperly
    managed reference counter (CVE-2014-2851).
    
    The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel
    through 3.14.3 does not properly manage tty driver access in the LECHO
    !OPOST case, which allows local users to cause a denial of service
    (memory corruption and system crash) or gain privileges by triggering
    a race condition involving read and write operations with long strings
    (CVE-2014-0196).
    
    The raw_cmd_copyout function in drivers/block/floppy.c in the Linux
    kernel through 3.14.3 does not properly restrict access to certain
    pointers during processing of an FDRAWCMD ioctl call, which allows
    local users to obtain sensitive information from kernel heap memory by
    leveraging write access to a /dev/fd device (CVE-2014-1738).
    
    The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
    kernel through 3.14.3 does not properly handle error conditions during
    processing of an FDRAWCMD ioctl call, which allows local users to
    trigger kfree operations and gain privileges by leveraging write
    access to a /dev/fd device (CVE-2014-1737).
    
    The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel
    through 3.14 allows local users to cause a denial of service (NULL
    pointer dereference and system crash) or possibly have unspecified
    other impact via a bind system call for an RDS socket on a system that
    lacks RDS transports (CVE-2014-2678).
    
    drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable
    buffers are disabled, does not properly validate packet lengths, which
    allows guest OS users to cause a denial of service (memory corruption
    and host OS crash) or possibly gain privileges on the host OS via
    crafted packets, related to the handle_rx and get_rx_bufs functions
    (CVE-2014-0077).
    
    The ip6_route_add function in net/ipv6/route.c in the Linux kernel
    through 3.13.6 does not properly count the addition of routes, which
    allows remote attackers to cause a denial of service (memory
    consumption) via a flood of ICMPv6 Router Advertisement packets
    (CVE-2014-2309).
    
    Multiple array index errors in drivers/hid/hid-multitouch.c in the
    Human Interface Device (HID) subsystem in the Linux kernel through
    3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically
    proximate attackers to cause a denial of service (heap memory
    corruption, or NULL pointer dereference and OOPS) via a crafted device
    (CVE-2013-2897).
    
    net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through
    3.13.6 uses a DCCP header pointer incorrectly, which allows remote
    attackers to cause a denial of service (system crash) or possibly
    execute arbitrary code via a DCCP packet that triggers a call to the
    (1) dccp_new, (2) dccp_packet, or (3) dccp_error function
    (CVE-2014-2523).
    
    Race condition in the mac80211 subsystem in the Linux kernel before
    3.13.7 allows remote attackers to cause a denial of service (system
    crash) via network traffic that improperly interacts with the
    WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and
    tx.c (CVE-2014-2706).
    
    The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the
    Linux kernel through 3.13.6 does not validate certain auth_enable and
    auth_capable fields before making an sctp_sf_authenticate call, which
    allows remote attackers to cause a denial of service (NULL pointer
    dereference and system crash) via an SCTP handshake with a modified
    INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk
    (CVE-2014-0101).
    
    The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel
    through 3.13.5 does not properly handle uncached write operations that
    copy fewer than the requested number of bytes, which allows local
    users to obtain sensitive information from kernel memory, cause a
    denial of service (memory corruption and system crash), or possibly
    gain privileges via a writev system call with a crafted pointer
    (CVE-2014-0069).
    
    arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the
    s390 platform does not properly handle attempted use of the linkage
    stack, which allows local users to cause a denial of service (system
    crash) by executing a crafted instruction (CVE-2014-2039).
    
    Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the
    Linux kernel before 3.2.24 allows local users to cause a denial of
    service (crash) and possibly execute arbitrary code via vectors
    related to Message Signaled Interrupts (MSI), irq routing entries, and
    an incorrect check by the setup_routing_entry function before invoking
    the kvm_set_irq function (CVE-2012-2137).
    
    The security_context_to_sid_core function in
    security/selinux/ss/services.c in the Linux kernel before 3.13.4
    allows local users to cause a denial of service (system crash) by
    leveraging the CAP_MAC_ADMIN capability to set a zero-length security
    context (CVE-2014-1874).
    
    The updated packages provides a solution for these security issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Android "Towelroot" Futex Requeue Kernel Exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cpupower");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-server-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cpupower-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cpupower0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"cpupower-3.4.93-1.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", reference:"kernel-firmware-3.4.93-1.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"kernel-headers-3.4.93-1.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"kernel-server-3.4.93-1.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"kernel-server-devel-3.4.93-1.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", reference:"kernel-source-3.4.93-1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64cpupower-devel-3.4.93-1.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64cpupower0-3.4.93-1.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"perf-3.4.93-1.1.mbs1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-0328.NASL
    descriptionFrom Red Hat Security Advisory 2014:0328 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055, Important) * A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101, Important) * A flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id73196
    published2014-03-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73196
    titleOracle Linux 6 : kernel (ELSA-2014-0328)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2014:0328 and 
    # Oracle Linux Security Advisory ELSA-2014-0328 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73196);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/30 10:58:19");
    
      script_cve_id("CVE-2013-1860", "CVE-2013-7266", "CVE-2013-7270", "CVE-2014-0055", "CVE-2014-0069", "CVE-2014-0101", "CVE-2014-2038");
      script_bugtraq_id(58510, 65588, 65943);
      script_xref(name:"RHSA", value:"2014:0328");
    
      script_name(english:"Oracle Linux 6 : kernel (ELSA-2014-0328)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2014:0328 :
    
    Updated kernel packages that fix multiple security issues and several
    bugs are now available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    Important security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    * A flaw was found in the way the get_rx_bufs() function in the
    vhost_net implementation in the Linux kernel handled error conditions
    reported by the vhost_get_vq_desc() function. A privileged guest user
    could use this flaw to crash the host. (CVE-2014-0055, Important)
    
    * A flaw was found in the way the Linux kernel processed an
    authenticated COOKIE_ECHO chunk during the initialization of an SCTP
    connection. A remote attacker could use this flaw to crash the system
    by initiating a specially crafted SCTP handshake in order to trigger a
    NULL pointer dereference on the system. (CVE-2014-0101, Important)
    
    * A flaw was found in the way the Linux kernel's CIFS implementation
    handled uncached write operations with specially crafted iovec
    structures. An unprivileged local user with access to a CIFS share
    could use this flaw to crash the system, leak kernel memory, or,
    potentially, escalate their privileges on the system. Note: the
    default cache settings for CIFS mounts on Red Hat Enterprise Linux 6
    prohibit a successful exploitation of this issue. (CVE-2014-0069,
    Moderate)
    
    * A heap-based buffer overflow flaw was found in the Linux kernel's
    cdc-wdm driver, used for USB CDC WCM device management. An attacker
    with physical access to a system could use this flaw to cause a denial
    of service or, potentially, escalate their privileges. (CVE-2013-1860,
    Low)
    
    Red Hat would like to thank Nokia Siemens Networks for reporting
    CVE-2014-0101, and Al Viro for reporting CVE-2014-0069.
    
    This update also fixes several bugs. Documentation for these changes
    will be available shortly from the Technical Notes document linked to
    in the References section.
    
    All kernel users are advised to upgrade to these updated packages,
    which contain backported patches to correct these issues. The system
    must be rebooted for this update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2014-March/004037.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2013-1860", "CVE-2013-7266", "CVE-2013-7270", "CVE-2014-0055", "CVE-2014-0069", "CVE-2014-0101", "CVE-2014-2038");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2014-0328");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL6", rpm:"kernel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-2.6.32-431.11.2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-abi-whitelists-2.6.32") && rpm_check(release:"EL6", reference:"kernel-abi-whitelists-2.6.32-431.11.2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-debug-2.6.32") && rpm_check(release:"EL6", reference:"kernel-debug-2.6.32-431.11.2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-debug-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-debug-devel-2.6.32-431.11.2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-devel-2.6.32-431.11.2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-doc-2.6.32") && rpm_check(release:"EL6", reference:"kernel-doc-2.6.32-431.11.2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-firmware-2.6.32") && rpm_check(release:"EL6", reference:"kernel-firmware-2.6.32-431.11.2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-headers-2.6.32") && rpm_check(release:"EL6", reference:"kernel-headers-2.6.32-431.11.2.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"perf-2.6.32-431.11.2.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"python-perf-2.6.32-431.11.2.el6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KERNEL-140321.NASL
    descriptionThe SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix various bugs and security issues. ---------------------------------------------------------------------- - WARNING: If you are running KVM with PCI pass-through on a system with one of the following Intel chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or X58 (revisions 0x12, 0x13, 0x22), please make sure to read the following support document before installing this update: https://www.suse.com/support/kb/doc.php?id=7014344 . You will have to update your KVM setup to no longer make use of PCI pass-through before rebooting to the updated kernel. ---------------------------------------------------------------------- - The following security bugs were fixed : - The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672). (CVE-2013-4470) - The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#852967). (CVE-2013-6885) - The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643). (CVE-2013-7263) - The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643). (CVE-2013-7264) - The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643). (CVE-2013-7265) - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (bnc#864025). (CVE-2014-0069) The following non-security bugs were fixed : - kabi: protect symbols modified by bnc#864833 fix. (bnc#864833) - mm: mempolicy: fix mbind_range() &amp;&amp; vma_adjust() interaction (VM Functionality (bnc#866428)). - mm: merging memory blocks resets mempolicy (VM Functionality (bnc#866428)). - mm/page-writeback.c: do not count anon pages as dirtyable memory (High memory utilisation performance (bnc#859225)). - mm: vmscan: Do not force reclaim file pages until it exceeds anon (High memory utilisation performance (bnc#859225)). - mm: vmscan: fix endless loop in kswapd balancing (High memory utilisation performance (bnc#859225)). - mm: vmscan: Update rotated and scanned when force reclaimed (High memory utilisation performance (bnc#859225)). - mm: exclude memory less nodes from zone_reclaim. (bnc#863526) - mm: fix return type for functions nr_free_*_pages kabi fixup. (bnc#864058) - mm: fix return type for functions nr_free_*_pages. (bnc#864058) - mm: swap: Use swapfiles in priority order (Use swap files in priority order (bnc#862957)). - x86: Save cr2 in NMI in case NMIs take a page fault (follow-up for patches.fixes/x86-Add-workaround-to-NMI-iret-woes.patch) . - powerpc: Add VDSO version of getcpu (fate#316816, bnc#854445). - vmscan: change type of vm_total_pages to unsigned long. (bnc#864058) - audit: dynamically allocate audit_names when not enough space is in the names array. (bnc#857358) - audit: make filetype matching consistent with other filters. (bnc#857358) - arch/x86/mm/srat: Skip NUMA_NO_NODE while parsing SLIT. (bnc#863178) - hwmon: (coretemp) Fix truncated name of alarm attributes. - privcmd: allow preempting long running user-mode originating hypercalls. (bnc#861093) - nohz: Check for nohz active instead of nohz enabled. (bnc#846790) - nohz: Fix another inconsistency between CONFIG_NO_HZ=n and nohz=off. (bnc#846790) - iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets. (bnc#844513) - balloon: do not crash in HVM-with-PoD guests. - crypto: s390 - fix des and des3_ede ctr concurrency issue (bnc#862796, LTC#103744). - crypto: s390 - fix des and des3_ede cbc concurrency issue (bnc#862796, LTC#103743). - kernel: oops due to linkage stack instructions (bnc#862796, LTC#103860). - crypto: s390 - fix concurrency issue in aes-ctr mode (bnc#862796, LTC#103742). - dump: Fix dump memory detection (bnc#862796,LTC#103575). - net: change type of virtio_chan->p9_max_pages. (bnc#864058) - inet: Avoid potential NULL peer dereference. (bnc#864833) - inet: Hide route peer accesses behind helpers. (bnc#864833) - inet: Pass inetpeer root into inet_getpeer*() interfaces. (bnc#864833) - tcp: syncookies: reduce cookie lifetime to 128 seconds. (bnc#833968) - tcp: syncookies: reduce mss table to four values. (bnc#833968) - ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support, warn about missing CREATE flag. (bnc#865783) - ipv6: send router reachability probe if route has an unreachable gateway. (bnc#853162) - sctp: Implement quick failover draft from tsvwg. (bnc#827670) - ipvs: fix AF assignment in ip_vs_conn_new(). (bnc#856848) - NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure. (bnc#853455) - btrfs: bugfix collection - fs/nfsd: change type of max_delegations, nfsd_drc_max_mem and nfsd_drc_mem_used. (bnc#864058) - fs/buffer.c: change type of max_buffer_heads to unsigned long. (bnc#864058) - ncpfs: fix rmdir returns Device or resource busy. (bnc#864880) - fs/fscache: Handle removal of unadded object to the fscache_object_list rb tree. (bnc#855885) - scsi_dh_alua: fixup RTPG retry delay miscalculation. (bnc#854025) - scsi_dh_alua: Simplify state machine. (bnc#854025) - xhci: Fix resume issues on Renesas chips in Samsung laptops. (bnc#866253) - bonding: disallow enslaving a bond to itself. (bnc#599263) - USB: hub: handle -ETIMEDOUT during enumeration. (bnc#855825) - dm-multipath: Do not stall on invalid ioctls. (bnc#865342) - scsi_dh_alua: endless STPG retries for a failed LUN. (bnc#865342) - net/mlx4_en: Fix pages never dma unmapped on rx. (bnc#858604) - dlm: remove get_comm. (bnc#827670) - dlm: Avoid LVB truncation. (bnc#827670) - dlm: disable nagle for SCTP. (bnc#827670) - dlm: retry failed SCTP sends. (bnc#827670) - dlm: try other IPs when sctp init assoc fails. (bnc#827670) - dlm: clear correct bit during sctp init failure handling. (bnc#827670) - dlm: set sctp assoc id during setup. (bnc#827670) - dlm: clear correct init bit during sctp setup. (bnc#827670) - dlm: fix deadlock between dlm_send and dlm_controld. (bnc#827670) - dlm: Fix return value from lockspace_busy(). (bnc#827670) - Avoid occasional hang with NFS. (bnc#852488) - mpt2sas: Fix unsafe using smp_processor_id() in preemptible. (bnc#853166) - lockd: send correct lock when granting a delayed lock. (bnc#859342)
    last seen2017-10-29
    modified2014-06-13
    plugin id73244
    published2014-03-28
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=73244
    titleSuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 9047 / 9050 / 9051)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20140325_KERNEL_ON_SL6_X.NASL
    description* A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055, Important) * A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101, Important) * A flaw was found in the way the Linux kernel
    last seen2020-03-18
    modified2014-03-26
    plugin id73200
    published2014-03-26
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73200
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64 (20140325)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-3014.NASL
    descriptionDescription of changes: [3.8.13-26.2.2.el6uek] - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages (Daniel Borkmann) [Orabug: 18421673] {CVE-2014-2523} - cifs: ensure that uncached writes handle unmapped areas correctly (Jeff Layton) [Orabug: 18461067] {CVE-2014-0069} {CVE-2014-0069} - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable (Daniel Borkmann) [Orabug: 18461065] {CVE-2014-0101} - vhost-net: insufficient handling of error conditions in get_rx_bufs() (Guangyu Sun) [Orabug: 18461050] {CVE-2014-0055}
    last seen2020-06-01
    modified2020-06-02
    plugin id73221
    published2014-03-27
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73221
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3014)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1477.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7265) - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7266) - The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7267) - The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7268) - The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7269) - The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7270) - The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7271) - The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7281) - A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id124801
    published2019-05-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124801
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1477)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-0439.NASL
    descriptionUpdated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A denial of service flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id76674
    published2014-07-22
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76674
    titleRHEL 6 : MRG (RHSA-2014:0439)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-3034.NASL
    descriptionThe remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen2020-06-01
    modified2020-06-02
    plugin id74101
    published2014-05-20
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74101
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3034)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KERNEL-140408.NASL
    descriptionThe SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. ---------------------------------------------------------------------- - WARNING: If you are running KVM with PCI pass-through on a system with one of the following Intel chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or X58 (revisions 0x12, 0x13, 0x22), please make sure to read the following support document before installing this update : https://www.suse.com/support/kb/doc.php?id=7014344 You will have to update your KVM setup to no longer make use of PCI pass-through before rebooting to the updated kernel. ---------------------------------------------------------------------- - The following security bugs have been fixed : - The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672). (CVE-2013-4470) - The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#852967). (CVE-2013-6885) - The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643). (CVE-2013-7263) - The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643). (CVE-2013-7264) - The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643). (CVE-2013-7265) - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (bnc#864025). (CVE-2014-0069) Also the following non-security bugs have been fixed : - kabi: protect symbols modified by bnc#864833 fix. (bnc#864833) - mm: mempolicy: fix mbind_range() &amp;&amp; vma_adjust() interaction (VM Functionality (bnc#866428)). - mm: merging memory blocks resets mempolicy (VM Functionality (bnc#866428)). - mm/page-writeback.c: do not count anon pages as dirtyable memory (High memory utilisation performance (bnc#859225)). - mm: vmscan: Do not force reclaim file pages until it exceeds anon (High memory utilisation performance (bnc#859225)). - mm: vmscan: fix endless loop in kswapd balancing (High memory utilisation performance (bnc#859225)). - mm: vmscan: Update rotated and scanned when force reclaimed (High memory utilisation performance (bnc#859225)). - mm: exclude memory less nodes from zone_reclaim. (bnc#863526) - mm: fix return type for functions nr_free_*_pages kabi fixup. (bnc#864058) - mm: fix return type for functions nr_free_*_pages. (bnc#864058) - mm: swap: Use swapfiles in priority order (Use swap files in priority order (bnc#862957)). - x86: Save cr2 in NMI in case NMIs take a page fault (follow-up for patches.fixes/x86-Add-workaround-to-NMI-iret-woes.patch) . - powerpc: Add VDSO version of getcpu (fate#316816, bnc#854445). - vmscan: change type of vm_total_pages to unsigned long. (bnc#864058) - audit: dynamically allocate audit_names when not enough space is in the names array. (bnc#857358) - audit: make filetype matching consistent with other filters. (bnc#857358) - arch/x86/mm/srat: Skip NUMA_NO_NODE while parsing SLIT. (bnc#863178) - hwmon: (coretemp) Fix truncated name of alarm attributes. - privcmd: allow preempting long running user-mode originating hypercalls. (bnc#861093) - nohz: Check for nohz active instead of nohz enabled. (bnc#846790) - nohz: Fix another inconsistency between CONFIG_NO_HZ=n and nohz=off. (bnc#846790) - iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets. (bnc#844513) - balloon: do not crash in HVM-with-PoD guests. - crypto: s390 - fix des and des3_ede ctr concurrency issue (bnc#862796, LTC#103744). - crypto: s390 - fix des and des3_ede cbc concurrency issue (bnc#862796, LTC#103743). - kernel: oops due to linkage stack instructions (bnc#862796, LTC#103860). - crypto: s390 - fix concurrency issue in aes-ctr mode (bnc#862796, LTC#103742). - dump: Fix dump memory detection (bnc#862796,LTC#103575). - net: change type of virtio_chan->p9_max_pages. (bnc#864058) - inet: handle rt{,6}_bind_peer() failure correctly. (bnc#870801) - inet: Avoid potential NULL peer dereference. (bnc#864833) - inet: Hide route peer accesses behind helpers. (bnc#864833) - inet: Pass inetpeer root into inet_getpeer*() interfaces. (bnc#864833) - tcp: syncookies: reduce cookie lifetime to 128 seconds. (bnc#833968) - tcp: syncookies: reduce mss table to four values. (bnc#833968) - ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support, warn about missing CREATE flag. (bnc#865783) - ipv6: send router reachability probe if route has an unreachable gateway. (bnc#853162) - sctp: Implement quick failover draft from tsvwg. (bnc#827670) - ipvs: fix AF assignment in ip_vs_conn_new(). (bnc#856848) - NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure. (bnc#853455) - btrfs: bugfix collection - fs/nfsd: change type of max_delegations, nfsd_drc_max_mem and nfsd_drc_mem_used. (bnc#864058) - fs/buffer.c: change type of max_buffer_heads to unsigned long. (bnc#864058) - ncpfs: fix rmdir returns Device or resource busy. (bnc#864880) - scsi_dh_alua: fixup RTPG retry delay miscalculation. (bnc#854025) - scsi_dh_alua: Simplify state machine. (bnc#854025) - xhci: Fix resume issues on Renesas chips in Samsung laptops. (bnc#866253) - bonding: disallow enslaving a bond to itself. (bnc#599263) - USB: hub: handle -ETIMEDOUT during enumeration. (bnc#855825) - dm-multipath: Do not stall on invalid ioctls. (bnc#865342) - scsi_dh_alua: endless STPG retries for a failed LUN. (bnc#865342) - net/mlx4_en: Fix pages never dma unmapped on rx. (bnc#858604) - dlm: remove get_comm. (bnc#827670) - dlm: Avoid LVB truncation. (bnc#827670) - dlm: disable nagle for SCTP. (bnc#827670) - dlm: retry failed SCTP sends. (bnc#827670) - dlm: try other IPs when sctp init assoc fails. (bnc#827670) - dlm: clear correct bit during sctp init failure handling. (bnc#827670) - dlm: set sctp assoc id during setup. (bnc#827670) - dlm: clear correct init bit during sctp setup. (bnc#827670) - dlm: fix deadlock between dlm_send and dlm_controld. (bnc#827670) - dlm: Fix return value from lockspace_busy(). (bnc#827670) - Avoid occasional hang with NFS. (bnc#852488) - mpt2sas: Fix unsafe using smp_processor_id() in preemptible. (bnc#853166) - lockd: send correct lock when granting a delayed lock. (bnc#859342)
    last seen2020-06-05
    modified2014-04-16
    plugin id73554
    published2014-04-16
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73554
    titleSuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 9102 / 9104 / 9105)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-2576.NASL
    descriptionThe 3.13.3 stable update contains a number of important fixes across the tree. The 3.13.2 rebase contains support for additional hardware, some new features and a number of important bug fixes across the tree. Fixes CVE-2014-0069 cifs: incorrect handling of bogus user pointers Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-02-18
    plugin id72546
    published2014-02-18
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72546
    titleFedora 20 : kernel-3.13.3-201.fc20 (2014-2576)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2177-1.NASL
    descriptionA flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged local user could exploit this flaw to cause a denial of service (system crash), obtain sensitive information from kernel memory, or possibly gain privileges. (CVE-2014-0069). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id73726
    published2014-04-27
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73726
    titleUbuntu 12.04 LTS : linux-lts-saucy vulnerabilities (USN-2177-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-0339.NASL
    descriptionAn updated rhev-hypervisor6 package that fixes multiple security issues is now available. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055) A heap-based buffer overflow flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id79003
    published2014-11-08
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79003
    titleRHEL 6 : rhev-hypervisor6 (RHSA-2014:0339)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-375.NASL
    descriptionThis Linux kernel security update fixes various security issues and bugs. The Linux Kernel was updated to fix various security issues and bugs. Main security issues fixed : A security issue in the tty layer that was fixed that could be used by local attackers for code execution (CVE-2014-0196). Two security issues in the floppy driver were fixed that could be used by local attackers on machines with the floppy to crash the kernel or potentially execute code in the kernel (CVE-2014-1737 CVE-2014-1738). Other security issues and bugfixes : - netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper (bnc#860835 CVE-2014-1690). - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH (bnc#866102, CVE-2014-0101). - [media] ivtv: Fix Oops when no firmware is loaded (bnc#875440). - ALSA: hda - Add dock pin setups for Thinkpad T440 (bnc#876699). - ip6tnl: fix double free of fb_tnl_dev on exit (bnc#876531). - Update arm config files: Enable all USB-to-serial drivers Specifically, enable USB_SERIAL_WISHBONE and USB_SERIAL_QT2 on all arm flavors. - mei: limit the number of consecutive resets (bnc#821619,bnc#852656). - mei: revamp mei reset state machine (bnc#821619,bnc#852656). - mei: use hbm idle state to prevent spurious resets (bnc#821619). - mei: do not run reset flow from the interrupt thread (bnc#821619,bnc#852656). - mei: don
    last seen2020-06-05
    modified2014-06-13
    plugin id75363
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75363
    titleopenSUSE Security Update : kernel (openSUSE-SU-2014:0678-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-0328.NASL
    descriptionUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055, Important) * A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101, Important) * A flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id73198
    published2014-03-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73198
    titleRHEL 6 : kernel (RHSA-2014:0328)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2175-1.NASL
    descriptionA flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged local user could exploit this flaw to cause a denial of service (system crash), obtain sensitive information from kernel memory, or possibly gain privileges. (CVE-2014-0069). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id73724
    published2014-04-27
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73724
    titleUbuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-2175-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2178-1.NASL
    descriptionA flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged local user could exploit this flaw to cause a denial of service (system crash), obtain sensitive information from kernel memory, or possibly gain privileges. (CVE-2014-0069). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id73727
    published2014-04-27
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73727
    titleUbuntu 12.10 : linux vulnerabilities (USN-2178-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0057.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id99163
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99163
    titleOracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1516.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux kernel before 4.16 allows local users to cause a denial of service (NULL pointer dereference) by triggering a failure of resource retrieval.(CVE-2018-10074i1/4%0 - An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp) backend driver of the iSCSI Target subsystem of the Linux kernel. A privileged user could use this flaw to leak the contents of kernel memory to an iSCSI initiator remote client.(CVE-2014-4027i1/4%0 - It was found that in the Linux kernel version 4.2-rc1 to 4.3-rc1, a use of uninitialized
    last seen2020-03-19
    modified2019-05-13
    plugin id124837
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124837
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1516)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2221-1.NASL
    descriptionMatthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737) A flaw was discovered in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id74184
    published2014-05-27
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74184
    titleUbuntu 12.04 LTS : linux vulnerabilities (USN-2221-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-2606.NASL
    descriptionFixes CVE-2014-0069 cifs: incorrect handling of bogus user pointers Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-02-18
    plugin id72548
    published2014-02-18
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72548
    titleFedora 19 : kernel-3.12.11-201.fc19 (2014-2606)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0004_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (CVE-2013-2888) - drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2889) - drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2892) - The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application. (CVE-2013-2930) - Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine. (CVE-2013-4127) - The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4162) - The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163) - Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call. (CVE-2013-4343) - The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation. (CVE-2013-4348) - The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network. (CVE-2013-4350) - net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (CVE-2013-4387) - The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline. (CVE-2013-4563) - The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) - Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (CVE-2013-4587) - The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (CVE-2013-6367) - The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (CVE-2013-6368) - The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. (CVE-2013-6376) - The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (CVE-2013-6378) - The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command. (CVE-2013-6380) - Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (CVE-2013-6382) - Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls. (CVE-2013-7026) - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7266) - The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7267) - The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7268) - The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7269) - The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7270) - The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7271) - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data. (CVE-2014-0049) - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (CVE-2014-0055) - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (CVE-2014-0069) - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (CVE-2014-0077) - Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load. (CVE-2014-0100) - A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101) - The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands. (CVE-2014-0102) - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. (CVE-2014-0131) - The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. (CVE-2014-0155) - The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) - The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature. (CVE-2014-1690) - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. (CVE-2014-2309) - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (CVE-2014-2523) - It was found that the try_to_unmap_cluster() function in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id127146
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127146
    titleNewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-289.NASL
    descriptionThe pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context. The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.
    last seen2020-06-01
    modified2020-06-02
    plugin id72745
    published2014-03-02
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72745
    titleAmazon Linux AMI : kernel (ALAS-2014-289)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-0328.NASL
    descriptionUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055, Important) * A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101, Important) * A flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id73191
    published2014-03-26
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73191
    titleCentOS 6 : kernel (CESA-2014:0328)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2179-1.NASL
    descriptionA flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged local user could exploit this flaw to cause a denial of service (system crash), obtain sensitive information from kernel memory, or possibly gain privileges. (CVE-2014-0069). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id73728
    published2014-04-27
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73728
    titleUbuntu 13.10 : linux vulnerabilities (USN-2179-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2176-1.NASL
    descriptionA flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged local user could exploit this flaw to cause a denial of service (system crash), obtain sensitive information from kernel memory, or possibly gain privileges. (CVE-2014-0069). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id73725
    published2014-04-27
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73725
    titleUbuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-2176-1)

Redhat

advisories
rhsa
idRHSA-2014:0328
rpms
  • kernel-0:2.6.32-431.11.2.el6
  • kernel-abi-whitelists-0:2.6.32-431.11.2.el6
  • kernel-bootwrapper-0:2.6.32-431.11.2.el6
  • kernel-debug-0:2.6.32-431.11.2.el6
  • kernel-debug-debuginfo-0:2.6.32-431.11.2.el6
  • kernel-debug-devel-0:2.6.32-431.11.2.el6
  • kernel-debuginfo-0:2.6.32-431.11.2.el6
  • kernel-debuginfo-common-i686-0:2.6.32-431.11.2.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-431.11.2.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-431.11.2.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-431.11.2.el6
  • kernel-devel-0:2.6.32-431.11.2.el6
  • kernel-doc-0:2.6.32-431.11.2.el6
  • kernel-firmware-0:2.6.32-431.11.2.el6
  • kernel-headers-0:2.6.32-431.11.2.el6
  • kernel-kdump-0:2.6.32-431.11.2.el6
  • kernel-kdump-debuginfo-0:2.6.32-431.11.2.el6
  • kernel-kdump-devel-0:2.6.32-431.11.2.el6
  • perf-0:2.6.32-431.11.2.el6
  • perf-debuginfo-0:2.6.32-431.11.2.el6
  • python-perf-0:2.6.32-431.11.2.el6
  • python-perf-debuginfo-0:2.6.32-431.11.2.el6
  • kernel-rt-0:3.10.33-rt32.33.el6rt
  • kernel-rt-debug-0:3.10.33-rt32.33.el6rt
  • kernel-rt-debug-debuginfo-0:3.10.33-rt32.33.el6rt
  • kernel-rt-debug-devel-0:3.10.33-rt32.33.el6rt
  • kernel-rt-debuginfo-0:3.10.33-rt32.33.el6rt
  • kernel-rt-debuginfo-common-x86_64-0:3.10.33-rt32.33.el6rt
  • kernel-rt-devel-0:3.10.33-rt32.33.el6rt
  • kernel-rt-doc-0:3.10.33-rt32.33.el6rt
  • kernel-rt-firmware-0:3.10.33-rt32.33.el6rt
  • kernel-rt-trace-0:3.10.33-rt32.33.el6rt
  • kernel-rt-trace-debuginfo-0:3.10.33-rt32.33.el6rt
  • kernel-rt-trace-devel-0:3.10.33-rt32.33.el6rt
  • kernel-rt-vanilla-0:3.10.33-rt32.33.el6rt
  • kernel-rt-vanilla-debuginfo-0:3.10.33-rt32.33.el6rt
  • kernel-rt-vanilla-devel-0:3.10.33-rt32.33.el6rt