ID CVE-2009-1758
Summary The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges."
References
Vulnerable Configurations
  • cpe:2.3:o:linux:linux_kernel:2.6.30:rc4:x86_32
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc4:x86_32
  • cpe:2.3:o:linux:linux_kernel:2.6.18:-:x86_32
    cpe:2.3:o:linux:linux_kernel:2.6.18:-:x86_32
  • cpe:2.3:a:xen:xen:3.2.1
    cpe:2.3:a:xen:xen:3.2.1
  • cpe:2.3:a:xen:xen:3.2
    cpe:2.3:a:xen:xen:3.2
  • cpe:2.3:a:xen:xen:3.1.2
    cpe:2.3:a:xen:xen:3.1.2
  • cpe:2.3:a:xen:xen:3.3.1
    cpe:2.3:a:xen:xen:3.3.1
  • cpe:2.3:a:xen:xen:3.3.0
    cpe:2.3:a:xen:xen:3.3.0
  • cpe:2.3:a:xen:xen:3.2.3
    cpe:2.3:a:xen:xen:3.2.3
  • cpe:2.3:a:xen:xen:3.2.2
    cpe:2.3:a:xen:xen:3.2.2
  • cpe:2.3:a:xen:xen:3.2.0
    cpe:2.3:a:xen:xen:3.2.0
  • cpe:2.3:a:xen:xen:3.1.4
    cpe:2.3:a:xen:xen:3.1.4
  • cpe:2.3:a:xen:xen:3.1.3
    cpe:2.3:a:xen:xen:3.1.3
  • cpe:2.3:a:xen:xen:3.0.4
    cpe:2.3:a:xen:xen:3.0.4
  • cpe:2.3:a:xen:xen:3.0.3
    cpe:2.3:a:xen:xen:3.0.3
  • cpe:2.3:a:xen:xen:3.0.2
    cpe:2.3:a:xen:xen:3.0.2
  • cpe:2.3:a:xen:xen:2.0
    cpe:2.3:a:xen:xen:2.0
CVSS
Base: 5.0 (as of 22-05-2009 - 11:13)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2009-0014.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-1192 The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages. CVE-2009-1072 nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option. CVE-2009-1758 The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in 'certain address ranges.' CVE-2009-1439 Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request. CVE-2009-1633 Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c. CVE-2009-1630 The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. - [agp] zero pages before sending to userspace (Jiri Olsa) [497025 497026] (CVE-2009-1192) - [misc] add some long-missing capabilities to CAP_FS_MASK (Eric Paris) [499075 497271 499076 497272] (CVE-2009-1072) - [x86] xen: fix local denial of service (Chris Lalancette) [500950 500951] (CVE-2009-1758) - [fs] cifs: unicode alignment and buffer sizing problems (Jeff Layton) [494279 494280] (CVE-2009-1439) - [fs] cifs: buffer overruns when converting strings (Jeff Layton) [496576 496577] (CVE-2009-1633) - [fs] cifs: fix error handling in parse_DFS_referrals (Jeff Layton) [496576 496577] (CVE-2009-1633) - [fs] cifs: fix pointer and checks in cifs_follow_symlink (Jeff Layton) [496576 496577] (CVE-2009-1633) - [nfs] v4: client handling of MAY_EXEC in nfs_permission (Peter Staubach) [500301 500302] (CVE-2009-1630) - backport cifs support from OEL5U3
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 79460
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79460
    title OracleVM 2.1 : kernel (OVMSA-2009-0014)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090616_KERNEL_ON_SL5_X.NASL
    description Security fixes : - several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important) - the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) - Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) - a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) - a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) Bug fixes : - a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. 'Busy inodes' messages may have been logged. (BZ#498653) - nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium®-based systems. (BZ#500349) - LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120) - ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once. (BZ#486945) - epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322) - missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271) - on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926) - in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data. (BZ#486921) - when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742) - with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783) - the '-fwrapv' flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751) - a kernel panic when enabling and disabling iSCSI paths. (BZ#502916) - using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837) - '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps. (BZ#499546) The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60599
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60599
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1106.NASL
    description Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) Bug fixes : * a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. 'Busy inodes' messages may have been logged. (BZ#498653) * nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium(r)-based systems. (BZ#500349) * LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120) * ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once. (BZ#486945) * epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322) * missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271) * on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926) * in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data. (BZ#486921) * when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742) * with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783) * the '-fwrapv' flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751) * a kernel panic when enabling and disabling iSCSI paths. (BZ#502916) * using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837) * '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps. (BZ#499546) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 39430
    published 2009-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39430
    title RHEL 5 : kernel (RHSA-2009:1106)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090630_KERNEL_ON_SL4_X.NASL
    description These updated packages fix the following security issues : - the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important) - the Linux kernel implementation of the Network File System (NFS) did not properly initialize the file name limit in the nfs_server data structure. This flaw could possibly lead to a denial of service on a client mounting an NFS share. (CVE-2009-1336, Moderate) - a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service. (CVE-2009-1385, Important) - the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) - Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) - a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) - a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) These updated packages also fix the following bugs : - '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps, making it possible to bypass the Address Space Layout Randomization (ASLR) security feature. This update addresses this issue. (BZ#499549) - in some situations, the link count was not decreased when renaming unused files on NFS mounted file systems. This may have resulted in poor performance. With this update, the link count is decreased in these situations, the same as is done for other file operations, such as unlink and rmdir. (BZ#501802) - tcp_ack() cleared the probes_out variable even if there were outstanding packets. When low TCP keepalive intervals were used, this bug may have caused problems, such as connections terminating, when using remote tools such as rsh and rlogin. (BZ#501754) - off-by-one errors in the time normalization code could have caused clock_gettime() to return one billion nanoseconds, rather than adding an extra second. This bug could have caused the name service cache daemon (nscd) to consume excessive CPU resources. (BZ#501800) - a system panic could occur when one thread read '/proc/bus/input/devices' while another was removing a device. With this update, a mutex has been added to protect the input_dev_list and input_handler_list variables, which resolves this issue. (BZ#501804) - using netdump may have caused a kernel deadlock on some systems. (BZ#504565) - the file system mask, which lists capabilities for users with a file system user ID (fsuid) of 0, was missing the CAP_MKNOD and CAP_LINUX_IMMUTABLE capabilities. This could, potentially, allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. This update adds these capabilities. (BZ#497269) Kernel Feature Support : - added a new allowable value to '/proc/sys/kernel/wake_balance' to allow the scheduler to run the thread on any available CPU rather than scheduling it on the optimal CPU. - added 'max_writeback_pages' tunable parameter to /proc/sys/vm/ to allow the maximum number of modified pages kupdate writes to disk, per iteration per run. - added 'swap_token_timeout' tunable parameter to /proc/sys/vm/ to provide a valid hold time for the swap out protection token. - added diskdump support to sata_svw driver. - limited physical memory to 64GB for 32-bit kernels running on systems with more than 64GB of physical memory to prevent boot failures. - improved reliability of autofs. - added support for 'rdattr_error' in NFSv4 readdir requests. - fixed various short packet handling issues for NFSv4 readdir and sunrpc. - fixed several CIFS bugs. Networking and IPv6 Enablement : - added router solicitation support. - enforced sg requires tx csum in ethtool. Platform Support : x86, AMD64, Intel 64 - added support for a new Intel chipset. - added initialization vendor info in boot_cpu_data. - added support for N_Port ID Virtualization (NPIV) for IBM System z guests using zFCP. - added HDMI support for some AMD and ATI chipsets. - updated HDA driver in ALSA to latest upstream as of 2008-07-22. - added support for affected_cpus for cpufreq. - removed polling timer from i8042. - fixed PM-Timer when using the ASUS A8V Deluxe motherboard. - backported usbfs_mutex in usbfs. Network Driver Updates : - updated forcedeth driver to latest upstream version 0.61. - fixed various e1000 issues when using Intel ESB2 hardware. - updated e1000e driver to upstream version 0.3.3.3-k6. - updated igb to upstream version 1.2.45-k2. - updated tg3 to upstream version 3.96. - updated ixgbe to upstream version 1.3.18-k4. - updated bnx2 to upstream version 1.7.9. - updated bnx2x to upstream version 1.45.23. - fixed bugs and added enhancements for the NetXen NX2031 and NX3031 products. - updated Realtek r8169 driver to support newer network chipsets. All variants of RTL810x/RTL8168(9) are now supported. Storage Driver Updates : - fixed various SCSI issues. Also, the SCSI sd driver now calls the revalidate_disk wrapper. - fixed a dmraid reduced I/O delay bug in certain configurations. - removed quirk aac_quirk_scsi_32 for some aacraid controllers. - updated FCP driver on IBM System z systems with support for point-to-point connections. - updated lpfc to version 8.0.16.46. - updated megaraid_sas to version 4.01-RH1. - updated MPT Fusion driver to version 3.12.29.00rh. - updated qla2xxx firmware to 4.06.01 for 4GB/s and 8GB/s adapters. - updated qla2xxx driver to version 8.02.09.00.04.08-d. - fixed sata_nv in libsata to disable ADMA mode by default. Miscellaneous Updates : - upgraded OpenFabrics Alliance Enterprise Distribution (OFED) to version 1.4. - added driver support and fixes for various Wacom tablets. Note: The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60609
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60609
    title Scientific Linux Security Update : kernel on SL4.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1106.NASL
    description From Red Hat Security Advisory 2009:1106 : Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) Bug fixes : * a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. 'Busy inodes' messages may have been logged. (BZ#498653) * nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium(r)-based systems. (BZ#500349) * LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120) * ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once. (BZ#486945) * epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322) * missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271) * on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926) * in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data. (BZ#486921) * when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742) * with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783) * the '-fwrapv' flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751) * a kernel panic when enabling and disabling iSCSI paths. (BZ#502916) * using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837) * '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps. (BZ#499546) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67874
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67874
    title Oracle Linux 5 : kernel (ELSA-2009-1106)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-6439.NASL
    description This patch updates the SUSE Linux Enterprise 10 SP2 kernel to fix various bugs and some security issues. The following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (No cve yet) A information leak from using sigaltstack was fixed. Enabled -fno-delete-null-pointer-checks to avoid optimizing away NULL pointer checks and fixed Makefiles to make sure -fwrapv is used everywhere. CVE-2009-1758: The hypervisor_callback function in Xen allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in 'certain address ranges.' - A crash on r8169 network cards when receiving large packets was fixed. (CVE-2009-1389) - The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. (CVE-2009-1630)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 41540
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41540
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6439)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-6437.NASL
    description This patch updates the SUSE Linux Enterprise 10 SP2 kernel to fix various bugs and some security issues. The following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (No cve yet) A information leak from using sigaltstack was fixed. Enabled -fno-delete-null-pointer-checks to avoid optimizing away NULL pointer checks and fixed Makefiles to make sure -fwrapv is used everywhere. CVE-2009-1758: The hypervisor_callback function in Xen allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in 'certain address ranges.' - A crash on r8169 network cards when receiving large packets was fixed. (CVE-2009-1389) - The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. (CVE-2009-1630)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 59138
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59138
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6437)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1809.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-1630 Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. - CVE-2009-1633 Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. - CVE-2009-1758 Jan Beulich discovered an issue in Xen where local guest users may cause a denial of service (oops). This update also fixes a regression introduced by the fix for CVE-2009-1184 in 2.6.26-15lenny3. This prevents a boot time panic on systems with SELinux enabled.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 38990
    published 2009-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38990
    title Debian DSA-1809-1 : linux-2.6 - denial of service, privilege escalation
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1132.NASL
    description From Red Hat Security Advisory 2009:1132 : Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service. (CVE-2009-1385, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) These updated packages also fix the following bugs : * '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps, making it possible to bypass the Address Space Layout Randomization (ASLR) security feature. This update addresses this issue. (BZ#499549) * in some situations, the link count was not decreased when renaming unused files on NFS mounted file systems. This may have resulted in poor performance. With this update, the link count is decreased in these situations, the same as is done for other file operations, such as unlink and rmdir. (BZ#501802) * tcp_ack() cleared the probes_out variable even if there were outstanding packets. When low TCP keepalive intervals were used, this bug may have caused problems, such as connections terminating, when using remote tools such as rsh and rlogin. (BZ#501754) * off-by-one errors in the time normalization code could have caused clock_gettime() to return one billion nanoseconds, rather than adding an extra second. This bug could have caused the name service cache daemon (nscd) to consume excessive CPU resources. (BZ#501800) * a system panic could occur when one thread read '/proc/bus/input/devices' while another was removing a device. With this update, a mutex has been added to protect the input_dev_list and input_handler_list variables, which resolves this issue. (BZ#501804) * using netdump may have caused a kernel deadlock on some systems. (BZ#504565) * the file system mask, which lists capabilities for users with a file system user ID (fsuid) of 0, was missing the CAP_MKNOD and CAP_LINUX_IMMUTABLE capabilities. This could, potentially, allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. This update adds these capabilities. (BZ#497269) All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67884
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67884
    title Oracle Linux 4 : kernel (ELSA-2009-1132)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1106.NASL
    description Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) Bug fixes : * a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. 'Busy inodes' messages may have been logged. (BZ#498653) * nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium(r)-based systems. (BZ#500349) * LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120) * ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once. (BZ#486945) * epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322) * missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271) * on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926) * in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data. (BZ#486921) * when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742) * with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783) * the '-fwrapv' flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751) * a kernel panic when enabling and disabling iSCSI paths. (BZ#502916) * using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837) * '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps. (BZ#499546) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43757
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43757
    title CentOS 5 : kernel (CESA-2009:1106)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1132.NASL
    description Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service. (CVE-2009-1385, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) These updated packages also fix the following bugs : * '/proc/[pid]/maps' and '/proc/[pid]/smaps' can only be read by processes able to use the ptrace() call on a given process; however, certain information from '/proc/[pid]/stat' and '/proc/[pid]/wchan' could be used to reconstruct memory maps, making it possible to bypass the Address Space Layout Randomization (ASLR) security feature. This update addresses this issue. (BZ#499549) * in some situations, the link count was not decreased when renaming unused files on NFS mounted file systems. This may have resulted in poor performance. With this update, the link count is decreased in these situations, the same as is done for other file operations, such as unlink and rmdir. (BZ#501802) * tcp_ack() cleared the probes_out variable even if there were outstanding packets. When low TCP keepalive intervals were used, this bug may have caused problems, such as connections terminating, when using remote tools such as rsh and rlogin. (BZ#501754) * off-by-one errors in the time normalization code could have caused clock_gettime() to return one billion nanoseconds, rather than adding an extra second. This bug could have caused the name service cache daemon (nscd) to consume excessive CPU resources. (BZ#501800) * a system panic could occur when one thread read '/proc/bus/input/devices' while another was removing a device. With this update, a mutex has been added to protect the input_dev_list and input_handler_list variables, which resolves this issue. (BZ#501804) * using netdump may have caused a kernel deadlock on some systems. (BZ#504565) * the file system mask, which lists capabilities for users with a file system user ID (fsuid) of 0, was missing the CAP_MKNOD and CAP_LINUX_IMMUTABLE capabilities. This could, potentially, allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. This update adds these capabilities. (BZ#497269) All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 39583
    published 2009-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39583
    title RHEL 4 : kernel (RHSA-2009:1132)
oval via4
accepted 2013-04-29T04:04:31.508-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges."
family unix
id oval:org.mitre.oval:def:10313
status accepted
submitted 2010-07-09T03:56:16-04:00
title The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges."
version 24
redhat via4
advisories
bugzilla
id 504565
title e1000e: sporadic hang in netdump
oval
AND
  • comment Red Hat Enterprise Linux 4 is installed
    oval oval:com.redhat.rhsa:tst:20060016001
  • OR
    • AND
      • comment kernel is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132002
      • comment kernel is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689003
    • AND
      • comment kernel-devel is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132004
      • comment kernel-devel is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689005
    • AND
      • comment kernel-doc is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132022
      • comment kernel-doc is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689019
    • AND
      • comment kernel-hugemem is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132020
      • comment kernel-hugemem is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689017
    • AND
      • comment kernel-hugemem-devel is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132018
      • comment kernel-hugemem-devel is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689015
    • AND
      • comment kernel-largesmp is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132006
      • comment kernel-largesmp is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689013
    • AND
      • comment kernel-largesmp-devel is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132016
      • comment kernel-largesmp-devel is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689009
    • AND
      • comment kernel-smp is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132014
      • comment kernel-smp is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689011
    • AND
      • comment kernel-smp-devel is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132008
      • comment kernel-smp-devel is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060689007
    • AND
      • comment kernel-xenU is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132012
      • comment kernel-xenU is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20070488009
    • AND
      • comment kernel-xenU-devel is earlier than 0:2.6.9-89.0.3.EL
        oval oval:com.redhat.rhsa:tst:20091132010
      • comment kernel-xenU-devel is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20070488011
rhsa
id RHSA-2009:1132
released 2009-06-30
severity Important
title RHSA-2009:1132: kernel security and bug fix update (Important)
rpms
  • kernel-0:2.6.18-128.1.14.el5
  • kernel-PAE-0:2.6.18-128.1.14.el5
  • kernel-PAE-devel-0:2.6.18-128.1.14.el5
  • kernel-debug-0:2.6.18-128.1.14.el5
  • kernel-debug-devel-0:2.6.18-128.1.14.el5
  • kernel-devel-0:2.6.18-128.1.14.el5
  • kernel-doc-0:2.6.18-128.1.14.el5
  • kernel-headers-0:2.6.18-128.1.14.el5
  • kernel-kdump-0:2.6.18-128.1.14.el5
  • kernel-kdump-devel-0:2.6.18-128.1.14.el5
  • kernel-xen-0:2.6.18-128.1.14.el5
  • kernel-xen-devel-0:2.6.18-128.1.14.el5
  • kernel-0:2.6.9-89.0.3.EL
  • kernel-devel-0:2.6.9-89.0.3.EL
  • kernel-doc-0:2.6.9-89.0.3.EL
  • kernel-hugemem-0:2.6.9-89.0.3.EL
  • kernel-hugemem-devel-0:2.6.9-89.0.3.EL
  • kernel-largesmp-0:2.6.9-89.0.3.EL
  • kernel-largesmp-devel-0:2.6.9-89.0.3.EL
  • kernel-smp-0:2.6.9-89.0.3.EL
  • kernel-smp-devel-0:2.6.9-89.0.3.EL
  • kernel-xenU-0:2.6.9-89.0.3.EL
  • kernel-xenU-devel-0:2.6.9-89.0.3.EL
refmap via4
bid 34957
debian DSA-1809
mlist
  • [Xen-devel] 20090513 [PATCH] linux/i386: hypervisor_callback adjustments
  • [oss-security] 20090514 CVE Request: XEN local denial of service
secunia
  • 35093
  • 35298
statements via4
contributor Tomas Hoger
lastmodified 2009-09-10
organization Red Hat
statement This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2009-1132.html and https://rhn.redhat.com/errata/RHSA-2009-1106.html .
Last major update 21-08-2010 - 01:32
Published 22-05-2009 - 07:52
Last modified 28-09-2017 - 21:34
Back to Top