Oracle Linux 5 : Unbreakable Enterprise kernel (ELSA-2010-2011)

high Nessus Plugin ID 68175

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

Following Security fixes are included in this unbreakable enterprise kernel errata:

CVE-2010-3432 The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.
CVE-2010-2962 drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread operations.
CVE-2010-2955 The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size.
CVE-2010-3705 The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.
CVE-2010-3084 Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via the ETHTOOL_GRXCLSRLALL ethtool command.
CVE-2010-3437 Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.
CVE-2010-3079 kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file.
CVE-2010-3698 The KVM implementation in the Linux kernel before 2.6.36 does not properly reload the FS and GS segment registers, which allows host OS users to cause a denial of service (host OS crash) via a KVM_RUN ioctl call in conjunction with a modified Local Descriptor Table (LDT).
CVE-2010-3442 Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.


[2.6.32-100.24.1.el5]
- [sctp] Do not reset the packet during sctp_packet_con[CVE-2010-3432]
- [drm/i915] Sanity check pread/pwrite [CVE-2010-2962]
- [wireless] fix kernel heap content leak [CVE-2010-2955]
- [sctp] Fix out-of-bounds reading in sctp_asoc_get_hmac() [CVE-2010-3705]
- [niu] Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL [CVE-2010-3084]
- Fix pktcdvd ioctl dev_minor range check [CVE-2010-3437]
- Do not allow llseek to set_ftrace_filter [CVE-2010-3079]
- [kvm] Fix fs/gs reload oops with invalid ldt [CVE-2010-3698]
- [alsa] prevent heap corruption in snd_ctl_new() [CVE-2010-3442]
- Fix LACP bonding mode (Tina Yang)
- Fix grat arps on bonded interfaces (Tina Yang)

Solution

Update the affected unbreakable enterprise kernel packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2010-December/001775.html

Plugin Details

Severity: High

ID: 68175

File Name: oraclelinux_ELSA-2010-2011.nasl

Version: 1.15

Type: local

Agent: unix

Published: 7/12/2013

Updated: 8/24/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.8

CVSS v2

Risk Factor: High

Base Score: 8.3

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel, p-cpe:/a:oracle:linux:kernel-debug, p-cpe:/a:oracle:linux:kernel-debug-devel, p-cpe:/a:oracle:linux:kernel-devel, p-cpe:/a:oracle:linux:kernel-doc, p-cpe:/a:oracle:linux:kernel-firmware, p-cpe:/a:oracle:linux:kernel-headers, p-cpe:/a:oracle:linux:ofa-2.6.32-100.24.1.el5, p-cpe:/a:oracle:linux:ofa-2.6.32-100.24.1.el5debug, cpe:/o:oracle:linux:5

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/15/2010

Vulnerability Publication Date: 9/8/2010

Reference Information

CVE: CVE-2010-2955, CVE-2010-2962, CVE-2010-3079, CVE-2010-3084, CVE-2010-3432, CVE-2010-3437, CVE-2010-3442, CVE-2010-3698, CVE-2010-3705