ID CVE-2005-0109
Summary Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.
References
Vulnerable Configurations
  • FreeBSD 1.1.5.1
    cpe:2.3:o:freebsd:freebsd:1.1.5.1
  • FreeBSD 2.0
    cpe:2.3:o:freebsd:freebsd:2.0
  • FreeBSD 2.0.5
    cpe:2.3:o:freebsd:freebsd:2.0.5
  • FreeBSD 2.1.0
    cpe:2.3:o:freebsd:freebsd:2.1.0
  • FreeBSD 2.1.5
    cpe:2.3:o:freebsd:freebsd:2.1.5
  • FreeBSD 2.1.6
    cpe:2.3:o:freebsd:freebsd:2.1.6
  • FreeBSD 2.1.6.1
    cpe:2.3:o:freebsd:freebsd:2.1.6.1
  • FreeBSD 2.1.7.1
    cpe:2.3:o:freebsd:freebsd:2.1.7.1
  • FreeBSD 2.2
    cpe:2.3:o:freebsd:freebsd:2.2
  • FreeBSD 2.2.2
    cpe:2.3:o:freebsd:freebsd:2.2.2
  • FreeBSD 2.2.3
    cpe:2.3:o:freebsd:freebsd:2.2.3
  • FreeBSD 2.2.4
    cpe:2.3:o:freebsd:freebsd:2.2.4
  • FreeBSD 2.2.5
    cpe:2.3:o:freebsd:freebsd:2.2.5
  • FreeBSD 2.2.6
    cpe:2.3:o:freebsd:freebsd:2.2.6
  • FreeBSD 2.2.8
    cpe:2.3:o:freebsd:freebsd:2.2.8
  • FreeBSD 3.0
    cpe:2.3:o:freebsd:freebsd:3.0
  • cpe:2.3:o:freebsd:freebsd:3.0:releng
    cpe:2.3:o:freebsd:freebsd:3.0:releng
  • FreeBSD 3.1
    cpe:2.3:o:freebsd:freebsd:3.1
  • FreeBSD 3.2
    cpe:2.3:o:freebsd:freebsd:3.2
  • FreeBSD 3.3
    cpe:2.3:o:freebsd:freebsd:3.3
  • FreeBSD 3.4
    cpe:2.3:o:freebsd:freebsd:3.4
  • FreeBSD 3.5
    cpe:2.3:o:freebsd:freebsd:3.5
  • cpe:2.3:o:freebsd:freebsd:3.5:stable
    cpe:2.3:o:freebsd:freebsd:3.5:stable
  • FreeBSD 3.5.1
    cpe:2.3:o:freebsd:freebsd:3.5.1
  • cpe:2.3:o:freebsd:freebsd:3.5.1:release
    cpe:2.3:o:freebsd:freebsd:3.5.1:release
  • cpe:2.3:o:freebsd:freebsd:3.5.1:stable
    cpe:2.3:o:freebsd:freebsd:3.5.1:stable
  • FreeBSD 4.0
    cpe:2.3:o:freebsd:freebsd:4.0
  • cpe:2.3:o:freebsd:freebsd:4.0:alpha
    cpe:2.3:o:freebsd:freebsd:4.0:alpha
  • cpe:2.3:o:freebsd:freebsd:4.0:releng
    cpe:2.3:o:freebsd:freebsd:4.0:releng
  • FreeBSD 4.1
    cpe:2.3:o:freebsd:freebsd:4.1
  • FreeBSD 4.1.1
    cpe:2.3:o:freebsd:freebsd:4.1.1
  • cpe:2.3:o:freebsd:freebsd:4.1.1:release
    cpe:2.3:o:freebsd:freebsd:4.1.1:release
  • cpe:2.3:o:freebsd:freebsd:4.1.1:stable
    cpe:2.3:o:freebsd:freebsd:4.1.1:stable
  • FreeBSD 4.2
    cpe:2.3:o:freebsd:freebsd:4.2
  • cpe:2.3:o:freebsd:freebsd:4.2:stable
    cpe:2.3:o:freebsd:freebsd:4.2:stable
  • FreeBSD 4.3
    cpe:2.3:o:freebsd:freebsd:4.3
  • cpe:2.3:o:freebsd:freebsd:4.3:release
    cpe:2.3:o:freebsd:freebsd:4.3:release
  • cpe:2.3:o:freebsd:freebsd:4.3:release_p38
    cpe:2.3:o:freebsd:freebsd:4.3:release_p38
  • cpe:2.3:o:freebsd:freebsd:4.3:releng
    cpe:2.3:o:freebsd:freebsd:4.3:releng
  • cpe:2.3:o:freebsd:freebsd:4.3:stable
    cpe:2.3:o:freebsd:freebsd:4.3:stable
  • FreeBSD 4.4
    cpe:2.3:o:freebsd:freebsd:4.4
  • cpe:2.3:o:freebsd:freebsd:4.4:release_p42
    cpe:2.3:o:freebsd:freebsd:4.4:release_p42
  • cpe:2.3:o:freebsd:freebsd:4.4:releng
    cpe:2.3:o:freebsd:freebsd:4.4:releng
  • cpe:2.3:o:freebsd:freebsd:4.4:stable
    cpe:2.3:o:freebsd:freebsd:4.4:stable
  • FreeBSD 4.5
    cpe:2.3:o:freebsd:freebsd:4.5
  • cpe:2.3:o:freebsd:freebsd:4.5:release
    cpe:2.3:o:freebsd:freebsd:4.5:release
  • cpe:2.3:o:freebsd:freebsd:4.5:release_p32
    cpe:2.3:o:freebsd:freebsd:4.5:release_p32
  • cpe:2.3:o:freebsd:freebsd:4.5:releng
    cpe:2.3:o:freebsd:freebsd:4.5:releng
  • cpe:2.3:o:freebsd:freebsd:4.5:stable
    cpe:2.3:o:freebsd:freebsd:4.5:stable
  • FreeBSD 4.6
    cpe:2.3:o:freebsd:freebsd:4.6
  • cpe:2.3:o:freebsd:freebsd:4.6:release
    cpe:2.3:o:freebsd:freebsd:4.6:release
  • cpe:2.3:o:freebsd:freebsd:4.6:release_p20
    cpe:2.3:o:freebsd:freebsd:4.6:release_p20
  • cpe:2.3:o:freebsd:freebsd:4.6:releng
    cpe:2.3:o:freebsd:freebsd:4.6:releng
  • cpe:2.3:o:freebsd:freebsd:4.6:stable
    cpe:2.3:o:freebsd:freebsd:4.6:stable
  • FreeBSD 4.6.2
    cpe:2.3:o:freebsd:freebsd:4.6.2
  • FreeBSD 4.7
    cpe:2.3:o:freebsd:freebsd:4.7
  • cpe:2.3:o:freebsd:freebsd:4.7:release
    cpe:2.3:o:freebsd:freebsd:4.7:release
  • cpe:2.3:o:freebsd:freebsd:4.7:release_p17
    cpe:2.3:o:freebsd:freebsd:4.7:release_p17
  • cpe:2.3:o:freebsd:freebsd:4.7:releng
    cpe:2.3:o:freebsd:freebsd:4.7:releng
  • cpe:2.3:o:freebsd:freebsd:4.7:stable
    cpe:2.3:o:freebsd:freebsd:4.7:stable
  • FreeBSD 4.8
    cpe:2.3:o:freebsd:freebsd:4.8
  • cpe:2.3:o:freebsd:freebsd:4.8:pre-release
    cpe:2.3:o:freebsd:freebsd:4.8:pre-release
  • cpe:2.3:o:freebsd:freebsd:4.8:release_p6
    cpe:2.3:o:freebsd:freebsd:4.8:release_p6
  • cpe:2.3:o:freebsd:freebsd:4.8:releng
    cpe:2.3:o:freebsd:freebsd:4.8:releng
  • FreeBSD 4.9
    cpe:2.3:o:freebsd:freebsd:4.9
  • cpe:2.3:o:freebsd:freebsd:4.9:pre-release
    cpe:2.3:o:freebsd:freebsd:4.9:pre-release
  • cpe:2.3:o:freebsd:freebsd:4.9:releng
    cpe:2.3:o:freebsd:freebsd:4.9:releng
  • FreeBSD 4.10
    cpe:2.3:o:freebsd:freebsd:4.10
  • cpe:2.3:o:freebsd:freebsd:4.10:release
    cpe:2.3:o:freebsd:freebsd:4.10:release
  • cpe:2.3:o:freebsd:freebsd:4.10:release_p8
    cpe:2.3:o:freebsd:freebsd:4.10:release_p8
  • cpe:2.3:o:freebsd:freebsd:4.10:releng
    cpe:2.3:o:freebsd:freebsd:4.10:releng
  • cpe:2.3:o:freebsd:freebsd:4.11:release_p3
    cpe:2.3:o:freebsd:freebsd:4.11:release_p3
  • cpe:2.3:o:freebsd:freebsd:4.11:releng
    cpe:2.3:o:freebsd:freebsd:4.11:releng
  • cpe:2.3:o:freebsd:freebsd:4.11:stable
    cpe:2.3:o:freebsd:freebsd:4.11:stable
  • FreeBSD 5.0
    cpe:2.3:o:freebsd:freebsd:5.0
  • cpe:2.3:o:freebsd:freebsd:5.0:alpha
    cpe:2.3:o:freebsd:freebsd:5.0:alpha
  • cpe:2.3:o:freebsd:freebsd:5.0:release_p14
    cpe:2.3:o:freebsd:freebsd:5.0:release_p14
  • cpe:2.3:o:freebsd:freebsd:5.0:releng
    cpe:2.3:o:freebsd:freebsd:5.0:releng
  • FreeBSD 5.1
    cpe:2.3:o:freebsd:freebsd:5.1
  • cpe:2.3:o:freebsd:freebsd:5.1:alpha
    cpe:2.3:o:freebsd:freebsd:5.1:alpha
  • cpe:2.3:o:freebsd:freebsd:5.1:release
    cpe:2.3:o:freebsd:freebsd:5.1:release
  • cpe:2.3:o:freebsd:freebsd:5.1:release_p5
    cpe:2.3:o:freebsd:freebsd:5.1:release_p5
  • cpe:2.3:o:freebsd:freebsd:5.1:releng
    cpe:2.3:o:freebsd:freebsd:5.1:releng
  • FreeBSD 5.2
    cpe:2.3:o:freebsd:freebsd:5.2
  • cpe:2.3:o:freebsd:freebsd:5.2.1:release
    cpe:2.3:o:freebsd:freebsd:5.2.1:release
  • cpe:2.3:o:freebsd:freebsd:5.2.1:releng
    cpe:2.3:o:freebsd:freebsd:5.2.1:releng
  • FreeBSD 5.3
    cpe:2.3:o:freebsd:freebsd:5.3
  • cpe:2.3:o:freebsd:freebsd:5.3:release
    cpe:2.3:o:freebsd:freebsd:5.3:release
  • cpe:2.3:o:freebsd:freebsd:5.3:releng
    cpe:2.3:o:freebsd:freebsd:5.3:releng
  • cpe:2.3:o:freebsd:freebsd:5.3:stable
    cpe:2.3:o:freebsd:freebsd:5.3:stable
  • cpe:2.3:o:freebsd:freebsd:5.4:pre-release
    cpe:2.3:o:freebsd:freebsd:5.4:pre-release
  • cpe:2.3:o:freebsd:freebsd:5.4:release
    cpe:2.3:o:freebsd:freebsd:5.4:release
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server_ia64
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server_ia64
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server_ia64
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server_ia64
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation_ia64
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation_ia64
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
  • Red Hat Desktop 3.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:3.0
  • Red Hat Desktop 4.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:4.0
  • cpe:2.3:o:redhat:fedora_core:core_3.0
    cpe:2.3:o:redhat:fedora_core:core_3.0
  • cpe:2.3:o:sco:openserver:5.0.7
    cpe:2.3:o:sco:openserver:5.0.7
  • cpe:2.3:o:sco:unixware:7.1.3
    cpe:2.3:o:sco:unixware:7.1.3
  • cpe:2.3:o:sco:unixware:7.1.3_up
    cpe:2.3:o:sco:unixware:7.1.3_up
  • cpe:2.3:o:sco:unixware:7.1.4
    cpe:2.3:o:sco:unixware:7.1.4
  • cpe:2.3:o:sun:solaris:7.0:-:x86
    cpe:2.3:o:sun:solaris:7.0:-:x86
  • cpe:2.3:o:sun:solaris:8.0:-:x86
    cpe:2.3:o:sun:solaris:8.0:-:x86
  • cpe:2.3:o:sun:solaris:9.0:-:x86
    cpe:2.3:o:sun:solaris:9.0:-:x86
  • cpe:2.3:o:sun:solaris:9.0:x86_update_2
    cpe:2.3:o:sun:solaris:9.0:x86_update_2
  • cpe:2.3:o:sun:solaris:10.0:-:sparc
    cpe:2.3:o:sun:solaris:10.0:-:sparc
  • cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ia64
    cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ia64
  • cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ppc
    cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ppc
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.04:-:amd64
    cpe:2.3:o:ubuntu:ubuntu_linux:5.04:-:amd64
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.04:-:i386
    cpe:2.3:o:ubuntu:ubuntu_linux:5.04:-:i386
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.04:-:powerpc
    cpe:2.3:o:ubuntu:ubuntu_linux:5.04:-:powerpc
CVSS
Base: 4.7 (as of 03-06-2005 - 03:59)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-476.NASL
    description Updated OpenSSL packages that fix security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CVE-2004-0975). The der_chop script was deprecated and has been removed from these updated packages. Red Hat Enterprise Linux 4 did not ship der_chop and is therefore not vulnerable to this issue. Users are advised to update to these erratum packages which contain patches to correct these issues. Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18409
    published 2005-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18409
    title RHEL 2.1 / 3 / 4 : openssl (RHSA-2005:476)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-476.NASL
    description Updated OpenSSL packages that fix security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CVE-2004-0975). The der_chop script was deprecated and has been removed from these updated packages. Red Hat Enterprise Linux 4 did not ship der_chop and is therefore not vulnerable to this issue. Users are advised to update to these erratum packages which contain patches to correct these issues. Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21830
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21830
    title CentOS 3 / 4 : openssl (CESA-2005:476)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-131-1.NASL
    description Colin Percival discovered an information disclosure in the 'Hyper Threading Technology' architecture in processors which are capable of simultaneous multithreading (in particular Intel Pentium 4, Intel Mobile Pentium 4, and Intel Xeon processors). This allows a malicious thread to monitor the execution of another thread on the same CPU. This could be exploited to steal cryptographic keys, passwords, or other arbitrary data from unrelated processes. Since it is not possible to provide a safe patch in a short time, HyperThreading has been disabled in the updated kernel packages for now. You can manually enable HyperThreading again by passing the kernel parameter 'ht=on' at boot. (CAN-2005-0109) A Denial of Service vulnerability was discovered in the fib_seq_start() function(). This allowed a local user to crash the system by reading /proc/net/route in a certain way. (CAN-2005-1041) Paul Starzetz found an integer overflow in the ELF binary format loader's core dump function. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges. However, it is believed that this flaw is not actually exploitable on 2.6.x kernels (as shipped by Ubuntu). (CAN-2005-1263) Alexander Nyberg discovered a flaw in the keyring kernel module. This allowed a local attacker to cause a kernel crash on SMP machines by calling key_user_lookup() in a particular way. This vulnerability does not affect the kernel of Ubuntu 4.10. (CAN-2005-1368) The it87 and via686a hardware monitoring drivers created a sysfs file named 'alarms' with write permissions, but they are not designed to be writeable. This allowed a local user to crash the kernel by attempting to write to these files. (CAN-2005-1369) It was discovered that the drivers for raw devices (CAN-2005-1264) and pktcdvd devices (CAN-2005-1589) used the wrong function to pass arguments to the underlying block device. This made the kernel address space accessible to userspace applications. This allowed any local user with at least read access to a device in /dev/pktcdvd/* (usually members of the 'cdrom' group) or /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges. Ubuntu 4.10's kernel is not affected by the pktcdvd flaw since it does not yet support packet CD writing. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-26
    plugin id 20522
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20522
    title Ubuntu 4.10 / 5.04 : linux-source-2.6.8.1, linux-source-2.6.10 vulnerabilities (USN-131-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-800.NASL
    description Updated OpenSSL packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a 'man in the middle' to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2969 to this issue. A bug was also fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in RHSA-2005-476 which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0109 to this issue. Users are advised to upgrade to these updated packages, which remove the MISE 3.0.2 work-around and contain patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20050
    published 2005-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20050
    title RHEL 2.1 / 3 / 4 : openssl (RHSA-2005:800)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-111.NASL
    description Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following have been fixed in the 2.4 kernels : Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses. This has been corrected by disabling HT support in all kernels (CVE-2005-0109). When forwarding fragmented packets, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CVE-2005-0209). A flaw in the Linux PPP driver was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CVE-2005-0384). An information leak in the ext2 filesystem code was found where when a new directory is created, the ext2 block written to disk is not initialized (CVE-2005-0400). A signedness error in the copy_from_read_buf function in n_tty.c allows local users to read kernel memory via a negative argument (CVE-2005-0530). George Guninski discovered a buffer overflow in the ATM driver where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CVE-2005-0531). A flaw when freeing a pointer in load_elf_library was found that could be abused by a local user to potentially crash the machine causing a Denial of Service (CVE-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker to gain root access or crash the machine (CVE-2005-0750). A race condition in the Radeon DRI driver allows a local user with DRI privileges to execute arbitrary code as root (CVE-2005-0767). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CVE-2005-1263).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18599
    published 2005-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18599
    title Mandrake Linux Security Advisory : kernel-2.4 (MDKSA-2005:111)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-110.NASL
    description Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following CVE names have been fixed in the LE2005 kernel : Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses. This has been corrected by disabling HT support in all kernels (CVE-2005-0109). An information leak in the ext2 filesystem code in kernels prior to 2.6.11.6 was found where when a new directory is created, the ext2 block written to disk is not initialized (CVE-2005-0400). A flaw when freeing a pointer in load_elf_library was found in kernels prior to 2.6.11.6 that could be abused by a local user to potentially crash the machine causing a Denial of Service (CVE-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker to gain root access or crash the machine (CVE-2005-0750). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CVE-2005-1263). The drivers for raw devices used the wrong function to pass arguments to the underlying block device in 2.6.x kernels. This made the kernel address space accessible to user-space applications allowing any local user with at least read access to a device in /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges (CVE-2005-1264). The it87 and via686a hardware monitor drivers in kernels prior to 2.6.11.8 and 2.6.12 prior to 2.6.12-rc2 created a sysfs file named 'alarms' with write permissions although they are not designed to be writable. This allowed a local user to crash the kernel by attempting to write to these files (CVE-2005-1369). In addition to the above-noted CVE-2005-0109, CVE-2005-0400, CVE-2005-0749, CVE-2005-0750, and CVE-2005-1369 fixes, the following CVE names have been fixed in the 10.1 kernel : The POSIX Capability Linux Security Module (LSM) for 2.6 kernels up to and including 2.6.8.1 did not properly handle the credentials of a process that is launched before the module is loaded, which could be used by local attackers to gain elevated privileges (CVE-2004-1337). A flaw in the Linux PPP driver in kernel 2.6.8.1 was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CVE-2005-0384). George Guninski discovered a buffer overflow in the ATM driver in kernels 2.6.10 and 2.6.11 before 2.6.11-rc4 where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CVE-2005-0531). The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c before kernel 2.6.11, when running on 64-bit architectures, could allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types. This could allow an attacker to overwrite kernel memory, crash the machine, or potentially obtain root access (CVE-2005-0532). A race condition in the Radeon DRI driver in kernel 2.6.8.1 allows a local user with DRI privileges to execute arbitrary code as root (CVE-2005-0767). Access was not restricted to the N_MOUSE discipline for a TTY in kernels prior to 2.6.11. This could allow local attackers to obtain elevated privileges by injecting mouse or keyboard events into other user's sessions (CVE-2005-0839). Some futex functions in futex.c in 2.6 kernels performed get_user calls while holding the mmap_sem semaphore, which could allow a local attacker to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions (CVE-2005-0937). In addition to the above-noted CVE-2004-1337, CVE-2005-0109, CVE-2005-0384, CVE-2005-0400, CVE-2005-0531, CVE-2005-0532, CVE-2005-0749, CVE-2005-0750, CVE-2005-0767, CVE-2005-0839, CVE-2005-0937, CVE-2005-1263, CVE-2005-1264, and CVE-2005-1369 fixes, the following CVE names have been fixed in the 10.0/ Corporate 3.0 kernels : A race condition in the setsid function in kernels before 2.6.8.1 could allow a local attacker to cause a Denial of Service and possibly access portions of kernel memory related to TTY changes, locking, and semaphores (CVE-2005-0178). When forwarding fragmented packets in kernel 2.6.8.1, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CVE-2005-0209). A signedness error in the copy_from_read_buf function in n_tty.c before kernel 2.6.11 allows local users to read kernel memory via a negative argument (CVE-2005-0530). A vulnerability in the fib_seq_start() function allowed a local user to crash the system by readiung /proc/net/route in a certain way, causing a Denial of Service (CVE-2005-1041). A vulnerability in the Direct Rendering Manager (DRM) driver in the 2.6 kernel does not properly check the DMA lock, which could allow remote attackers or local users to cause a Denial of Service (X Server crash) and possibly modify the video output (CVE-2004-1056).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18598
    published 2005-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18598
    title Mandrake Linux Security Advisory : kernel (MDKSA-2005:110)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-800.NASL
    description Updated OpenSSL packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a 'man in the middle' to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2969 to this issue. A bug was also fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in RHSA-2005-476 which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0109 to this issue. Users are advised to upgrade to these updated packages, which remove the MISE 3.0.2 work-around and contain patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21861
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21861
    title CentOS 3 / 4 : openssl (CESA-2005:800)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-096.NASL
    description Colin Percival reported a cache timing attack that could be used to allow a malicious local user to gain portions of cryptographic keys (CVE-2005-0109). The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private key operations. The patch was designed to mitigate cache timing and possibly related attacks.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18434
    published 2005-06-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18434
    title Mandrake Linux Security Advisory : openssl (MDKSA-2005:096)
oval via4
accepted 2013-04-29T04:21:49.525-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.
family unix
id oval:org.mitre.oval:def:9747
status accepted
submitted 2010-07-09T03:56:16-04:00
title Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2005:476
  • rhsa
    id RHSA-2005:800
refmap via4
bid 12724
cert-vn VU#911878
freebsd FreeBSD-SA-05:09
misc
mlist
  • [freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuff
  • [freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff]
  • [openbsd-misc] 20050304 Re: FreeBSD hiding security stuff
sco SCOSA-2005.24
sectrack 1013967
secunia
  • 15348
  • 18165
sunalert 101739
vupen
  • ADV-2005-0540
  • ADV-2005-3002
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 17-10-2016 - 23:07
Published 05-03-2005 - 00:00
Last modified 16-10-2018 - 08:06
Back to Top