ID CVE-2005-2709
Summary The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
References
Vulnerable Configurations
  • cpe:2.3:o:linux:linux_kernel:2.2.27
    cpe:2.3:o:linux:linux_kernel:2.2.27
  • Linux Kernel 2.4.1
    cpe:2.3:o:linux:linux_kernel:2.4.1
  • Linux Kernel 2.4.2
    cpe:2.3:o:linux:linux_kernel:2.4.2
  • Linux Kernel 2.4.3
    cpe:2.3:o:linux:linux_kernel:2.4.3
  • Linux Kernel 2.4.4
    cpe:2.3:o:linux:linux_kernel:2.4.4
  • Linux Kernel 2.4.5
    cpe:2.3:o:linux:linux_kernel:2.4.5
  • Linux Kernel 2.4.6
    cpe:2.3:o:linux:linux_kernel:2.4.6
  • Linux Kernel 2.4.7
    cpe:2.3:o:linux:linux_kernel:2.4.7
  • Linux Kernel 2.4.8
    cpe:2.3:o:linux:linux_kernel:2.4.8
  • Linux Kernel 2.4.9
    cpe:2.3:o:linux:linux_kernel:2.4.9
  • Linux Kernel 2.4.10
    cpe:2.3:o:linux:linux_kernel:2.4.10
  • Linux Kernel 2.4.11
    cpe:2.3:o:linux:linux_kernel:2.4.11
  • Linux Kernel 2.4.12
    cpe:2.3:o:linux:linux_kernel:2.4.12
  • Linux Kernel 2.4.13
    cpe:2.3:o:linux:linux_kernel:2.4.13
  • Linux Kernel 2.4.14
    cpe:2.3:o:linux:linux_kernel:2.4.14
  • Linux Kernel 2.4.15
    cpe:2.3:o:linux:linux_kernel:2.4.15
  • Linux Kernel 2.4.16
    cpe:2.3:o:linux:linux_kernel:2.4.16
  • Linux Kernel 2.4.17
    cpe:2.3:o:linux:linux_kernel:2.4.17
  • Linux Kernel 2.4.18
    cpe:2.3:o:linux:linux_kernel:2.4.18
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-1
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-1
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-2
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-2
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-3
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-3
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-4
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-4
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-5
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-5
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-6
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-6
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-7
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-7
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-8
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-8
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
  • Linux Kernel 2.4.19
    cpe:2.3:o:linux:linux_kernel:2.4.19
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre2
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre2
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre3
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre3
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre4
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre4
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre5
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre5
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre6
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre6
  • Linux Kernel 2.4.20
    cpe:2.3:o:linux:linux_kernel:2.4.20
  • Linux Kernel 2.4.21
    cpe:2.3:o:linux:linux_kernel:2.4.21
  • cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre4
    cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre4
  • cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre7
    cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre7
  • Linux Kernel 2.4.22
    cpe:2.3:o:linux:linux_kernel:2.4.22
  • Linux Kernel 2.4.23
    cpe:2.3:o:linux:linux_kernel:2.4.23
  • cpe:2.3:o:linux:linux_kernel:2.4.23:-:-ow2
    cpe:2.3:o:linux:linux_kernel:2.4.23:-:-ow2
  • cpe:2.3:o:linux:linux_kernel:2.4.23:-:-pre9
    cpe:2.3:o:linux:linux_kernel:2.4.23:-:-pre9
  • Linux Kernel 2.4.24
    cpe:2.3:o:linux:linux_kernel:2.4.24
  • cpe:2.3:o:linux:linux_kernel:2.4.24:-:-ow1
    cpe:2.3:o:linux:linux_kernel:2.4.24:-:-ow1
  • Linux Kernel 2.4.25
    cpe:2.3:o:linux:linux_kernel:2.4.25
  • Linux Kernel 2.4.26
    cpe:2.3:o:linux:linux_kernel:2.4.26
  • Linux Kernel 2.4.27
    cpe:2.3:o:linux:linux_kernel:2.4.27
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre2
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre2
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre3
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre3
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre4
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre4
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre5
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre5
  • Linux Kernel 2.4.28
    cpe:2.3:o:linux:linux_kernel:2.4.28
  • Linux Kernel 2.4.29
    cpe:2.3:o:linux:linux_kernel:2.4.29
  • cpe:2.3:o:linux:linux_kernel:2.4.29:-rc1
    cpe:2.3:o:linux:linux_kernel:2.4.29:-rc1
  • cpe:2.3:o:linux:linux_kernel:2.4.29:-rc2
    cpe:2.3:o:linux:linux_kernel:2.4.29:-rc2
  • Linux Kernel 2.4.30
    cpe:2.3:o:linux:linux_kernel:2.4.30
  • Linux Kernel 2.4.30 rc2
    cpe:2.3:o:linux:linux_kernel:2.4.30:rc2
  • Linux Kernel 2.4.30 rc3
    cpe:2.3:o:linux:linux_kernel:2.4.30:rc3
  • Linux Kernel 2.4.31
    cpe:2.3:o:linux:linux_kernel:2.4.31
  • cpe:2.3:o:linux:linux_kernel:2.4.31:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.31:-pre1
  • Linux Kernel 2.4.32
    cpe:2.3:o:linux:linux_kernel:2.4.32
  • cpe:2.3:o:linux:linux_kernel:2.4.32:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.32:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.32:-pre2
    cpe:2.3:o:linux:linux_kernel:2.4.32:-pre2
  • Linux Kernel 2.4.33
    cpe:2.3:o:linux:linux_kernel:2.4.33
  • cpe:2.3:o:linux:linux_kernel:2.4.33:p-re1
    cpe:2.3:o:linux:linux_kernel:2.4.33:p-re1
  • Linux Kernel 2.4.33.1
    cpe:2.3:o:linux:linux_kernel:2.4.33.1
  • Linux Kernel 2.4.33.2
    cpe:2.3:o:linux:linux_kernel:2.4.33.2
  • Linux Kernel 2.4.33.3
    cpe:2.3:o:linux:linux_kernel:2.4.33.3
  • Linux Kernel 2.4.33.4
    cpe:2.3:o:linux:linux_kernel:2.4.33.4
  • Linux Kernel 2.4.33.5
    cpe:2.3:o:linux:linux_kernel:2.4.33.5
  • cpe:2.3:o:linux:linux_kernel:2.4.33.7
    cpe:2.3:o:linux:linux_kernel:2.4.33.7
  • Linux Kernel 2.4.34
    cpe:2.3:o:linux:linux_kernel:2.4.34
  • Linux Kernel 2.4.34.1
    cpe:2.3:o:linux:linux_kernel:2.4.34.1
  • Linux Kernel 2.4.34.2
    cpe:2.3:o:linux:linux_kernel:2.4.34.2
  • cpe:2.3:o:linux:linux_kernel:2.4.34.3
    cpe:2.3:o:linux:linux_kernel:2.4.34.3
  • cpe:2.3:o:linux:linux_kernel:2.4.34.4
    cpe:2.3:o:linux:linux_kernel:2.4.34.4
  • cpe:2.3:o:linux:linux_kernel:2.4.34.5
    cpe:2.3:o:linux:linux_kernel:2.4.34.5
  • cpe:2.3:o:linux:linux_kernel:2.4.34.6
    cpe:2.3:o:linux:linux_kernel:2.4.34.6
  • cpe:2.3:o:linux:linux_kernel:2.4.35.1
    cpe:2.3:o:linux:linux_kernel:2.4.35.1
  • Linux Kernel 2.4.35.2
    cpe:2.3:o:linux:linux_kernel:2.4.35.2
  • cpe:2.3:o:linux:linux_kernel:2.4.35.3
    cpe:2.3:o:linux:linux_kernel:2.4.35.3
  • cpe:2.3:o:linux:linux_kernel:2.4.35.4
    cpe:2.3:o:linux:linux_kernel:2.4.35.4
  • cpe:2.3:o:linux:linux_kernel:2.4.35.5
    cpe:2.3:o:linux:linux_kernel:2.4.35.5
  • cpe:2.3:o:linux:linux_kernel:2.4.36
    cpe:2.3:o:linux:linux_kernel:2.4.36
  • cpe:2.3:o:linux:linux_kernel:2.4.36.1
    cpe:2.3:o:linux:linux_kernel:2.4.36.1
  • cpe:2.3:o:linux:linux_kernel:2.4.36.2
    cpe:2.3:o:linux:linux_kernel:2.4.36.2
  • cpe:2.3:o:linux:linux_kernel:2.4.36.3
    cpe:2.3:o:linux:linux_kernel:2.4.36.3
  • cpe:2.3:o:linux:linux_kernel:2.4.36.4
    cpe:2.3:o:linux:linux_kernel:2.4.36.4
  • cpe:2.3:o:linux:linux_kernel:2.4.36.5
    cpe:2.3:o:linux:linux_kernel:2.4.36.5
  • cpe:2.3:o:linux:linux_kernel:2.4.36.6
    cpe:2.3:o:linux:linux_kernel:2.4.36.6
  • cpe:2.3:o:linux:linux_kernel:2.4.36.7
    cpe:2.3:o:linux:linux_kernel:2.4.36.7
  • cpe:2.3:o:linux:linux_kernel:2.4.36.8
    cpe:2.3:o:linux:linux_kernel:2.4.36.8
  • cpe:2.3:o:linux:linux_kernel:2.4.36.9
    cpe:2.3:o:linux:linux_kernel:2.4.36.9
  • cpe:2.3:o:linux:linux_kernel:2.4.37
    cpe:2.3:o:linux:linux_kernel:2.4.37
  • cpe:2.3:o:linux:linux_kernel:2.4.37:-rc1
    cpe:2.3:o:linux:linux_kernel:2.4.37:-rc1
  • cpe:2.3:o:linux:linux_kernel:2.4.37.1
    cpe:2.3:o:linux:linux_kernel:2.4.37.1
  • cpe:2.3:o:linux:linux_kernel:2.4.37.2
    cpe:2.3:o:linux:linux_kernel:2.4.37.2
  • cpe:2.3:o:linux:linux_kernel:2.4.37.3
    cpe:2.3:o:linux:linux_kernel:2.4.37.3
  • cpe:2.3:o:linux:linux_kernel:2.4.37.4
    cpe:2.3:o:linux:linux_kernel:2.4.37.4
  • cpe:2.3:o:linux:linux_kernel:2.4.37.5
    cpe:2.3:o:linux:linux_kernel:2.4.37.5
  • cpe:2.3:o:linux:linux_kernel:2.4.37.6
    cpe:2.3:o:linux:linux_kernel:2.4.37.6
  • Linux Kernel 2.6.0
    cpe:2.3:o:linux:linux_kernel:2.6.0
  • Linux Kernel 2.6.1
    cpe:2.3:o:linux:linux_kernel:2.6.1
  • Linux Kernel 2.6.10
    cpe:2.3:o:linux:linux_kernel:2.6.10
  • Linux Kernel 2.6.11
    cpe:2.3:o:linux:linux_kernel:2.6.11
  • Linux Kernel 2.6.11.1
    cpe:2.3:o:linux:linux_kernel:2.6.11.1
  • Linux Kernel 2.6.11.2
    cpe:2.3:o:linux:linux_kernel:2.6.11.2
  • Linux Kernel 2.6.11.3
    cpe:2.3:o:linux:linux_kernel:2.6.11.3
  • Linux Kernel 2.6.11.4
    cpe:2.3:o:linux:linux_kernel:2.6.11.4
  • Linux Kernel 2.6.11.5
    cpe:2.3:o:linux:linux_kernel:2.6.11.5
  • Linux Kernel 2.6.11.6
    cpe:2.3:o:linux:linux_kernel:2.6.11.6
  • Linux Kernel 2.6.11.7
    cpe:2.3:o:linux:linux_kernel:2.6.11.7
  • Linux Kernel 2.6.11.8
    cpe:2.3:o:linux:linux_kernel:2.6.11.8
  • Linux Kernel 2.6.11.9
    cpe:2.3:o:linux:linux_kernel:2.6.11.9
  • Linux Kernel 2.6.11.10
    cpe:2.3:o:linux:linux_kernel:2.6.11.10
  • Linux Kernel 2.6.11.11
    cpe:2.3:o:linux:linux_kernel:2.6.11.11
  • Linux Kernel 2.6.11.12
    cpe:2.3:o:linux:linux_kernel:2.6.11.12
  • Linux Kernel 2.6.12
    cpe:2.3:o:linux:linux_kernel:2.6.12
  • Linux Kernel 2.6.12.1
    cpe:2.3:o:linux:linux_kernel:2.6.12.1
  • Linux Kernel 2.6.12.2
    cpe:2.3:o:linux:linux_kernel:2.6.12.2
  • Linux Kernel 2.6.12.3
    cpe:2.3:o:linux:linux_kernel:2.6.12.3
  • Linux Kernel 2.6.12.4
    cpe:2.3:o:linux:linux_kernel:2.6.12.4
  • Linux Kernel 2.6.12.5
    cpe:2.3:o:linux:linux_kernel:2.6.12.5
  • Linux Kernel 2.6.12.6
    cpe:2.3:o:linux:linux_kernel:2.6.12.6
  • Linux Kernel 2.6.13
    cpe:2.3:o:linux:linux_kernel:2.6.13
  • Linux Kernel 2.6.13.1
    cpe:2.3:o:linux:linux_kernel:2.6.13.1
  • Linux Kernel 2.6.13.2
    cpe:2.3:o:linux:linux_kernel:2.6.13.2
  • Linux Kernel 2.6.13.3
    cpe:2.3:o:linux:linux_kernel:2.6.13.3
  • Linux Kernel 2.6.13.4
    cpe:2.3:o:linux:linux_kernel:2.6.13.4
  • Linux Kernel 2.6.13.5
    cpe:2.3:o:linux:linux_kernel:2.6.13.5
  • Linux Kernel 2.6.14
    cpe:2.3:o:linux:linux_kernel:2.6.14
CVSS
Base: 4.6 (as of 21-11-2005 - 12:37)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Linux Kernel 2.6.x Sysctl Unregistration Local Denial of Service Vulnerability. CVE-2005-2709. Dos exploit for linux platform
id EDB-ID:26489
last seen 2016-02-03
modified 2005-11-09
published 2005-11-09
reporter RĂ©mi Denis-Courmont
source https://www.exploit-db.com/download/26489/
title Linux Kernel 2.6.x - Sysctl Unregistration Local Denial of Service Vulnerability
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0101.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21977
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21977
    title CentOS 4 : kernel (CESA-2006:0101)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0101.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 20732
    published 2006-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20732
    title RHEL 4 : kernel (RHSA-2006:0101)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-059.NASL
    description A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel : sysctl.c in the Linux kernel prior to 2.6.14.1 allows local users to cause a Denial of Service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table (CVE-2005-2709). Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). Note that this was previously partially corrected in MDKSA-2005:235. Prior to 2.6.14, the kernel's atm module allows local users to cause a DoS (panic) via certain socket calls that produce inconsistent reference counts for loadable protocol modules (CVE-2005-3359). A race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in the 2.6.x kernel allows local users to cause a DoS (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory (CVE-2006-0457). Prior to 2.6.15.5, the kernel allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data (CVE-2006-0554). Prior to 2.6.15.5, the kernel allows local users to cause a DoS (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (CVE-2006-0555). Prior to an including kernel 2.6.16, sys_mbind in mempolicy.c does not sanity check the maxnod variable before making certain computations, which has an unknown impact and attack vectors (CVE-2006-0557). Prior to 2.6.15.5, the kernel allows local users to cause a DoS ('endless recursive fault') via unknown attack vectors related to a 'bad elf entry address' on Intel processors (CVE-2006-0741). Prior to 2.6.15.6, the die_if_kernel function in the kernel can allow local users to cause a DoS by causing user faults on Itanium systems (CVE-2006-00742). A race in the signal-handling code which allows a process to become unkillable when the race is triggered was also fixed. In addition to these security fixes, other fixes have been included such as : - add ich8 support - libata locking rewrite - libata clear ATA_QCFLAG_ACTIVE flag before calling the completion callback - support the Acer Aspire 5xxx/3xxx series in the acerhk module - USB storage: remove info sysfs file as it violates the sysfs one value per file rule - fix OOPS in sysfs_hash_and_remove_file() - pl2303 USB driver fixes; makes pl2303HX chip work correctly - fix OOPS in IPMI driver which is probably caused when trying to use ACPI functions when ACPI was not properly initialized - fix de_thread() racy BUG_ON() The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate Please note that users using the LSI Logic 53c1030 dual-channel ultra 320 SCSI card will need to re-create their initrd images manually prior to rebooting in order to fix a bug that prevents booting. A future update will correct this problem. To do this, execute : # rm /boot/initrd-2.6.12-18mdk.img # mkinitrd /boot/initrd-2.6.12-18mdk.img 2.6.12-18mdk --with-module=mptspi
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21133
    published 2006-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21133
    title Mandrake Linux Security Advisory : kernel (MDKSA-2006:059)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0140.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw in remap_page_range() with O_DIRECT writes that allowed a local user to cause a denial of service (crash) (CVE-2004-1057, important) - a flaw in exec() handling on some 64-bit architectures that allowed a local user to cause a denial of service (crash) (CVE-2005-2708, important) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973, important) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180, important) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 20751
    published 2006-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20751
    title RHEL 3 : kernel (RHSA-2006:0140)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0191.NASL
    description Updated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (32 bit architectures) This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a race condition that allowed local users to read the environment variables of another process (CVE-2004-1058, low) - a flaw in the open_exec function of execve that allowed a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CVE-2004-1073, moderate). Red Hat originally reported this flaw as being fixed by RHSA-2004:504, but a patch for this issue was missing from that update. - a flaw in the coda module that allowed a local user to cause a denial of service (crash) or possibly gain privileges (CVE-2005-0124, moderate) - a potential leak of kernel data from ext2 file system handling (CVE-2005-0400, low) - flaws in ISO-9660 file system handling that allowed the mounting of an invalid image on a CD-ROM to cause a denial of service (crash) or potentially execute arbitrary code (CVE-2005-0815, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973, important) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180, important) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) The following bugs were also addressed : - Handle set_brk() errors in binfmt_elf/aout - Correct error handling in shmem_ioctl - Correct scsi error return - Fix netdump time keeping bug - Fix netdump link-down freeze - Fix FAT fs deadlock All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 20855
    published 2006-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20855
    title RHEL 2.1 : kernel (RHSA-2006:0191)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0140.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw in remap_page_range() with O_DIRECT writes that allowed a local user to cause a denial of service (crash) (CVE-2004-1057, important) - a flaw in exec() handling on some 64-bit architectures that allowed a local user to cause a denial of service (crash) (CVE-2005-2708, important) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973, important) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180, important) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21881
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21881
    title CentOS 3 : kernel (CESA-2006:0140)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1018.NASL
    description The original update lacked recompiled ALSA modules against the new kernel ABI. Furthermore, kernel-latest-2.4-sparc now correctly depends on the updated packages. For completeness we're providing the original problem description : Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0887 Martin Schwidefsky discovered that the privileged instruction SACF (Set Address Space Control Fast) on the S/390 platform is not handled properly, allowing for a local user to gain root privileges. - CVE-2004-1058 A race condition allows for a local user to read the environment variables of another process that is still spawning through /proc/.../cmdline. - CVE-2004-2607 A numeric casting discrepancy in sdla_xfer allows local users to read portions of kernel memory via a large len argument which is received as an int but cast to a short, preventing read loop from filling a buffer. - CVE-2005-0449 An error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack. - CVE-2005-1761 A vulnerability in the ptrace subsystem of the IA-64 architecture can allow local attackers to overwrite kernel memory and crash the kernel. - CVE-2005-2457 Tim Yamin discovered that insufficient input validation in the compressed ISO file system (zisofs) allows a denial of service attack through maliciously crafted ISO images. - CVE-2005-2555 Herbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack. - CVE-2005-2709 Al Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode. - CVE-2005-2973 Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack. - CVE-2005-3257 Rudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation. - CVE-2005-3783 The ptrace code using CLONE_THREAD didn't use the thread group ID to determine whether the caller is attaching to itself, which allows a denial of service attack. - CVE-2005-3806 Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, which could lead to memory corruption and denial of service. - CVE-2005-3848 Ollie Wild discovered a memory leak in the icmp_push_reply() function, which allows denial of service through memory consumption. - CVE-2005-3857 Chris Wright discovered that excessive allocation of broken file lock leases in the VFS layer can exhaust memory and fill up the system logging, which allows denial of service. - CVE-2005-3858 Patrick McHardy discovered a memory leak in the ip6_input_finish() function from the IPv6 code, which allows denial of service. - CVE-2005-4618 Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which allows a denial of service attack.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22560
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22560
    title Debian DSA-1018-2 : kernel-source-2.4.27 - several vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-219-1.NASL
    description Al Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf// and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709) Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973) Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an 'USB Request Block' (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055) Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180) A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. This vulnerability only affects Ubuntu 4.10. (CVE-2005-3271) Stephen Hemming discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. This vulnerability only affects Ubuntu 4.10 and 5.04. (CVE-2005-3272) David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large 'ngidis' argument, a local attacker could cause a kernel crash. This vulnerability only affects Ubuntu 4.10 and 5.04. (CVE-2005-3273) Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274) Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attacker could exploit this by causing two packets for the same protocol to be NATed at the same time, which resulted in a kernel crash. (CVE-2005-3275) Paolo Giarrusso discovered an information leak in the sys_get_thread_area(). The returned structure was not properly cleared, which exposed a small amount of kernel memory to userspace programs. This could possibly expose confidential data. (CVE-2005-3276). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-26
    plugin id 65105
    published 2013-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65105
    title Ubuntu 4.10 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-219-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1017.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2005-0449 An error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack. - CVE-2005-2457 Tim Yamin discovered that insufficient input validation in the zisofs driver for compressed ISO file systems allows a denial of service attack through maliciously crafted ISO images. - CVE-2005-2490 A buffer overflow in the sendmsg() function allows local users to execute arbitrary code. - CVE-2005-2555 Herbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack. - CVE-2005-2709 Al Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode. - CVE-2005-2800 Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices leak memory, which allows a denial of service attack. - CVE-2005-2973 Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack. - CVE-2005-3044 Vasiliy Averin discovered that the reference counters from sockfd_put() and fput() can be forced into overlapping, which allows a denial of service attack through a NULL pointer dereference. - CVE-2005-3053 Eric Dumazet discovered that the set_mempolicy() system call accepts a negative value for its first argument, which triggers a BUG() assert. This allows a denial of service attack. - CVE-2005-3055 Harald Welte discovered that if a process issues a USB Request Block (URB) to a device and terminates before the URB completes, a stale pointer would be dereferenced. This could be used to trigger a denial of service attack. - CVE-2005-3180 Pavel Roskin discovered that the driver for Orinoco wireless cards clears its buffers insufficiently. This could leak sensitive information into user space. - CVE-2005-3181 Robert Derr discovered that the audit subsystem uses an incorrect function to free memory, which allows a denial of service attack. - CVE-2005-3257 Rudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation. - CVE-2005-3356 Doug Chapman discovered that the mq_open syscall can be tricked into decrementing an internal counter twice, which allows a denial of service attack through a kernel panic. - CVE-2005-3358 Doug Chapman discovered that passing a zero bitmask to the set_mempolicy() system call leads to a kernel panic, which allows a denial of service attack. - CVE-2005-3783 The ptrace code using CLONE_THREAD didn't use the thread group ID to determine whether the caller is attaching to itself, which allows a denial of service attack. - CVE-2005-3784 The auto-reaping of child processes functionality included ptraced-attached processes, which allows denial of service through dangling references. - CVE-2005-3806 Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, which could lead to memory corruption and denial of service. - CVE-2005-3847 It was discovered that a threaded real-time process, which is currently dumping core can be forced into a dead-lock situation by sending it a SIGKILL signal, which allows a denial of service attack. - CVE-2005-3848 Ollie Wild discovered a memory leak in the icmp_push_reply() function, which allows denial of service through memory consumption. - CVE-2005-3857 Chris Wright discovered that excessive allocation of broken file lock leases in the VFS layer can exhaust memory and fill up the system logging, which allows denial of service. - CVE-2005-3858 Patrick McHardy discovered a memory leak in the ip6_input_finish() function from the IPv6 code, which allows denial of service. - CVE-2005-4605 Karl Janmar discovered that a signedness error in the procfs code can be exploited to read kernel memory, which may disclose sensitive information. - CVE-2005-4618 Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which allows a denial of service attack. - CVE-2006-0095 Stefan Rompf discovered that dm_crypt does not clear an internal struct before freeing it, which might disclose sensitive information. - CVE-2006-0096 It was discovered that the SDLA driver's capability checks were too lax for firmware upgrades. - CVE-2006-0482 Ludovic Courtes discovered that get_compat_timespec() performs insufficient input sanitizing, which allows a local denial of service attack. - CVE-2006-1066 It was discovered that ptrace() on the ia64 architecture allows a local denial of service attack, when preemption is enabled.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22559
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22559
    title Debian DSA-1017-1 : kernel-source-2.6.8 - several vulnerabilities
oval via4
accepted 2013-04-29T04:08:19.105-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
family unix
id oval:org.mitre.oval:def:10746
status accepted
submitted 2010-07-09T03:56:16-04:00
title The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2006:0101
  • rhsa
    id RHSA-2006:0140
  • rhsa
    id RHSA-2006:0190
  • rhsa
    id RHSA-2006:0191
refmap via4
bid 15365
confirm http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.14.1
debian
  • DSA-1017
  • DSA-1018
fedora
  • FLSA:157459-1
  • FLSA:157459-2
  • FLSA:157459-3
  • FLSA:157459-4
mandriva MDKSA-2006:059
osvdb 20676
sectrack 1015434
secunia
  • 17504
  • 17541
  • 17648
  • 18510
  • 18562
  • 18684
  • 19369
  • 19374
ubuntu USN-219-1
vupen ADV-2005-2359
xf kernel-sysctl-interface-dos(23040)
Last major update 25-06-2012 - 00:00
Published 20-11-2005 - 17:03
Last modified 19-10-2018 - 11:33
Back to Top