|NASL family||Ubuntu Local Security Checks |
|NASL id||UBUNTU_USN-281-1.NASL |
|description||The sys_mbind() function did not properly verify the validity of the 'maxnod' argument. A local user could exploit this to trigger a buffer overflow, which caused a kernel crash. (CVE-2006-0557)
The SELinux module did not correctly handle the tracer SID when a process was already being traced. A local attacker could exploit this to cause a kernel crash. (CVE-2006-1052)
Al Viro discovered a local Denial of Service in the sysfs write buffer handling. By writing a block with a length exactly equal to the processor's page size to any writable file in /sys, a local attacker could cause a kernel crash. (CVE-2006-1055)
John Blackwood discovered a race condition with single-step debugging multiple processes at the same time. A local attacker could exploit this to crash the system. This only affects the amd64 platform.
Marco Ivaldi discovered a flaw in the handling of the ID number of IP packets. This number was incremented after receiving unsolicited TCP SYN-ACK packets. A remote attacker could exploit this to conduct port scans with the 'Idle scan' method (nmap -sI), which bypassed intended port scan protections. (CVE-2006-1242)
Pavel Kankovsky discovered that the getsockopt() function, when called with an SO_ORIGINAL_DST argument, does not properly clear the returned structure, so that a random piece of kernel memory is exposed to the user. This could potentially reveal sensitive data like passwords or encryption keys. (CVE-2006-1343)
A buffer overflow was discovered in the USB Gadget RNDIS implementation. While creating a reply message, the driver did not allocate enough memory for the reply structure. A remote attacker could exploit this to cause a kernel crash. (CVE-2006-1368)
Alexandra Kossovsky discovered an invalid memory access in the ip_route_input() function. By using the 'ip' command in a particular way to retrieve multicast routes, a local attacker could exploit this to crash the kernel. (CVE-2006-1525).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
|last seen||2019-02-21 |
|plugin id||21375 |
|title||Ubuntu 5.04 / 5.10 : linux-source-2.6.10, linux-source-2.6.12 vulnerabilities (USN-281-1) |
|NASL family||Red Hat Local Security Checks |
|NASL id||REDHAT-RHSA-2006-0579.NASL |
|description||Updated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (32 bit architectures)
This security advisory has been rated as having important security impact by the Red Hat Security Response Team.
The Linux kernel handles the basic functions of the operating system.
These new kernel packages contain fixes for the security issues described below :
* a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate)
* a flaw in ROSE due to missing verification of the ndigis argument of new routes (CVE-2005-3273, moderate)
* an info leak on AMD-based x86 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important)
* a minor info leak in socket name handling in the network code (CVE-2006-1342, low)
* a minor info leak in socket option handling in the network code (CVE-2006-1343, low)
* a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via '..\\' sequences (CVE-2006-1864, moderate)
* a flaw in the mprotect system call that allowed to give write permission to a readonly attachment of shared memory (CVE-2006-2071, moderate)
A performance bug in the NFS implementation that caused clients to frequently pause when sending TCP segments during heavy write loads was also addressed.
All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to these updated packages, which contain backported fixes to correct these issues. |
|last seen||2019-02-21 |
|plugin id||22054 |
|title||RHEL 2.1 : kernel (RHSA-2006:0579) |
|NASL family||Mandriva Local Security Checks |
|NASL id||MANDRAKE_MDKSA-2006-123.NASL |
|description||A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel :
The kernel did not clear sockaddr_in.sin_zero before returning IPv4 socket names for the getsockopt function, which could allow a local user to obtain portions of potentially sensitive memory if getsockopt() is called with SO_ORIGINAL_DST (CVE-2006-1343).
Prior to 2.6.16, a buffer overflow in the USB Gadget RNDIS implementation could allow a remote attacker to cause a Denial of Service via a remote NDIS response (CVE-2006-1368).
Prior to 2.6.13, local users could cause a Denial of Service (crash) via a dio transfer from the sg driver to memory mapped IO space (CVE-2006-1528).
Prior to and including 2.6.16, the kernel did not add the appropriate LSM file_permission hooks to the readv and writev functions, which could allow an attacker to bypass intended access restrictions (CVE-2006-1856).
Prior to 184.108.40.206, a buffer oveflow in SCTP could allow a remote attacker to cause a DoS (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857).
Prior to 220.127.116.11, SCTP could allow a remote attacker to cause a DoS (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters (CVE-2006-1858).
Prior to 18.104.22.168, a memory leak in fs/locks.c could allow an attacker to cause a DoS (memory consumption) via unspecified actions (CVE-2006-1859).
Prior to 22.214.171.124, lease_init in fs/locks.c could allow an attacker to cause a DoS (fcntl_setlease lockup) via certain actions (CVE-2006-1860).
Prior to 2.6.17, SCTP allowed remote attackers to cause a DoS (infinite recursion and crash) via a packet that contains two or more DATA fragments (CVE-2006-2274).
Prior to 126.96.36.199, a race condition in run_posix_cpu timers could allow a local user to cause a DoS (BUG_ON crash) by causing one CPU to attach a timer to a process that is exiting (CVE-2006-2445).
Prior to 188.8.131.52, xt_sctp in netfilter could allow an attacker to cause a DoS (infinite loop) via an SCTP chunk with a 0 length (CVE-2006-3085).
As well, an issue where IPC could hit an unmapped vmalloc page when near the page boundary has been corrected.
In addition to these security fixes, other fixes have been included such as :
- avoid automatic update of kernel-source without updating the kernel
- fix USB EHCI handoff code, which made some machines hang while booting
- disable USB_BANDWIDTH which corrects a known problem in some USB sound devices
- fix a bluetooth refcounting bug which could hang the machine
- fix a NULL pointer dereference in USB-Serial's serial_open() function
- add missing wakeup in pl2303 TIOCMIWAIT handling
- fix a possible user-after-free in USB-Serial core
- suspend/resume fixes
- HPET timer fixes
- prevent fixed button event to reach userspace on S3 resume
- add sysfs support in ide-tape
- fix ASUS P5S800 reboot
Finally, a new drbd-utils package is provided that is a required upgrade with this new kernel due to a logic bug in the previously shipped version of drbd-utils that could cause a kernel panic on the master when a slave went offline.
The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.
To update your kernel, please follow the directions located at :
|last seen||2019-02-21 |
|plugin id||22058 |
|title||Mandrake Linux Security Advisory : kernel (MDKSA-2006:123) |