ID CVE-2005-1041
Summary The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.
References
Vulnerable Configurations
  • Linux Kernel 2.6.20.1
    cpe:2.3:o:linux:linux_kernel:2.6.20.1
CVSS
Base: 2.1 (as of 14-06-2005 - 11:05)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-131-1.NASL
    description Colin Percival discovered an information disclosure in the 'Hyper Threading Technology' architecture in processors which are capable of simultaneous multithreading (in particular Intel Pentium 4, Intel Mobile Pentium 4, and Intel Xeon processors). This allows a malicious thread to monitor the execution of another thread on the same CPU. This could be exploited to steal cryptographic keys, passwords, or other arbitrary data from unrelated processes. Since it is not possible to provide a safe patch in a short time, HyperThreading has been disabled in the updated kernel packages for now. You can manually enable HyperThreading again by passing the kernel parameter 'ht=on' at boot. (CAN-2005-0109) A Denial of Service vulnerability was discovered in the fib_seq_start() function(). This allowed a local user to crash the system by reading /proc/net/route in a certain way. (CAN-2005-1041) Paul Starzetz found an integer overflow in the ELF binary format loader's core dump function. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges. However, it is believed that this flaw is not actually exploitable on 2.6.x kernels (as shipped by Ubuntu). (CAN-2005-1263) Alexander Nyberg discovered a flaw in the keyring kernel module. This allowed a local attacker to cause a kernel crash on SMP machines by calling key_user_lookup() in a particular way. This vulnerability does not affect the kernel of Ubuntu 4.10. (CAN-2005-1368) The it87 and via686a hardware monitoring drivers created a sysfs file named 'alarms' with write permissions, but they are not designed to be writeable. This allowed a local user to crash the kernel by attempting to write to these files. (CAN-2005-1369) It was discovered that the drivers for raw devices (CAN-2005-1264) and pktcdvd devices (CAN-2005-1589) used the wrong function to pass arguments to the underlying block device. This made the kernel address space accessible to userspace applications. This allowed any local user with at least read access to a device in /dev/pktcdvd/* (usually members of the 'cdrom' group) or /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges. Ubuntu 4.10's kernel is not affected by the pktcdvd flaw since it does not yet support packet CD writing. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-26
    plugin id 20522
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20522
    title Ubuntu 4.10 / 5.04 : linux-source-2.6.8.1, linux-source-2.6.10 vulnerabilities (USN-131-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-110.NASL
    description Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following CVE names have been fixed in the LE2005 kernel : Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses. This has been corrected by disabling HT support in all kernels (CVE-2005-0109). An information leak in the ext2 filesystem code in kernels prior to 2.6.11.6 was found where when a new directory is created, the ext2 block written to disk is not initialized (CVE-2005-0400). A flaw when freeing a pointer in load_elf_library was found in kernels prior to 2.6.11.6 that could be abused by a local user to potentially crash the machine causing a Denial of Service (CVE-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker to gain root access or crash the machine (CVE-2005-0750). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CVE-2005-1263). The drivers for raw devices used the wrong function to pass arguments to the underlying block device in 2.6.x kernels. This made the kernel address space accessible to user-space applications allowing any local user with at least read access to a device in /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges (CVE-2005-1264). The it87 and via686a hardware monitor drivers in kernels prior to 2.6.11.8 and 2.6.12 prior to 2.6.12-rc2 created a sysfs file named 'alarms' with write permissions although they are not designed to be writable. This allowed a local user to crash the kernel by attempting to write to these files (CVE-2005-1369). In addition to the above-noted CVE-2005-0109, CVE-2005-0400, CVE-2005-0749, CVE-2005-0750, and CVE-2005-1369 fixes, the following CVE names have been fixed in the 10.1 kernel : The POSIX Capability Linux Security Module (LSM) for 2.6 kernels up to and including 2.6.8.1 did not properly handle the credentials of a process that is launched before the module is loaded, which could be used by local attackers to gain elevated privileges (CVE-2004-1337). A flaw in the Linux PPP driver in kernel 2.6.8.1 was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CVE-2005-0384). George Guninski discovered a buffer overflow in the ATM driver in kernels 2.6.10 and 2.6.11 before 2.6.11-rc4 where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CVE-2005-0531). The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c before kernel 2.6.11, when running on 64-bit architectures, could allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types. This could allow an attacker to overwrite kernel memory, crash the machine, or potentially obtain root access (CVE-2005-0532). A race condition in the Radeon DRI driver in kernel 2.6.8.1 allows a local user with DRI privileges to execute arbitrary code as root (CVE-2005-0767). Access was not restricted to the N_MOUSE discipline for a TTY in kernels prior to 2.6.11. This could allow local attackers to obtain elevated privileges by injecting mouse or keyboard events into other user's sessions (CVE-2005-0839). Some futex functions in futex.c in 2.6 kernels performed get_user calls while holding the mmap_sem semaphore, which could allow a local attacker to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions (CVE-2005-0937). In addition to the above-noted CVE-2004-1337, CVE-2005-0109, CVE-2005-0384, CVE-2005-0400, CVE-2005-0531, CVE-2005-0532, CVE-2005-0749, CVE-2005-0750, CVE-2005-0767, CVE-2005-0839, CVE-2005-0937, CVE-2005-1263, CVE-2005-1264, and CVE-2005-1369 fixes, the following CVE names have been fixed in the 10.0/ Corporate 3.0 kernels : A race condition in the setsid function in kernels before 2.6.8.1 could allow a local attacker to cause a Denial of Service and possibly access portions of kernel memory related to TTY changes, locking, and semaphores (CVE-2005-0178). When forwarding fragmented packets in kernel 2.6.8.1, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CVE-2005-0209). A signedness error in the copy_from_read_buf function in n_tty.c before kernel 2.6.11 allows local users to read kernel memory via a negative argument (CVE-2005-0530). A vulnerability in the fib_seq_start() function allowed a local user to crash the system by readiung /proc/net/route in a certain way, causing a Denial of Service (CVE-2005-1041). A vulnerability in the Direct Rendering Manager (DRM) driver in the 2.6 kernel does not properly check the DMA lock, which could allow remote attackers or local users to cause a Denial of Service (X Server crash) and possibly modify the video output (CVE-2004-1056).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 18598
    published 2005-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18598
    title Mandrake Linux Security Advisory : kernel (MDKSA-2005:110)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-366.NASL
    description Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 9 August 2005] The advisory text has been updated to show that this update fixed the security issue named CVE-2005-0210 but not CVE-2005-0209. The issue CVE-2005-0209 was actually fixed by RHSA-2005:420. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CVE-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CVE-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CVE-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CVE-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CVE-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CVE-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CVE-2005-0529, CVE-2005-0530, CVE-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CVE-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CVE-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CVE-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18095
    published 2005-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18095
    title RHEL 4 : kernel (RHSA-2005:366)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-366.NASL
    description Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 9 August 2005] The advisory text has been updated to show that this update fixed the security issue named CVE-2005-0210 but not CVE-2005-0209. The issue CVE-2005-0209 was actually fixed by RHSA-2005:420. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CVE-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CVE-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CVE-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CVE-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CVE-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CVE-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CVE-2005-0529, CVE-2005-0530, CVE-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CVE-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CVE-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CVE-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21928
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21928
    title CentOS 3 / 4 : kernel (CESA-2005:366)
oval via4
accepted 2013-04-29T04:19:42.878-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.
family unix
id oval:org.mitre.oval:def:9487
status accepted
submitted 2010-07-09T03:56:16-04:00
title The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.
version 23
redhat via4
advisories
rhsa
id RHSA-2005:366
refmap via4
bid 13267
fedora FLSA:157459-3
mlist [bk-commits-head] 20050319 [PATCH] Fix crash while reading /proc/net/route
secunia 17918
suse SUSE-SA:2005:068
Last major update 17-10-2016 - 23:16
Published 02-05-2005 - 00:00
Last modified 19-10-2018 - 11:31
Back to Top