Oracle Linux 6 : kernel (ELSA-2013-0744)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing one or more security updates.

Description :

From Red Hat Security Advisory 2013:0744 :

Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

Security :

* An integer overflow flaw, leading to a heap-based buffer overflow,
was found in the way the Intel i915 driver in the Linux kernel handled
the allocation of the buffer used for relocation copies. A local user
with console access could use this flaw to cause a denial of service
or escalate their privileges. (CVE-2013-0913, Important)

* A buffer overflow flaw was found in the way UTF-8 characters were
converted to UTF-16 in the utf8s_to_utf16s() function of the Linux
kernel's FAT file system implementation. A local user able to mount a
FAT file system with the 'utf8=1' option could use this flaw to crash
the system or, potentially, to escalate their privileges.
(CVE-2013-1773, Important)

* A flaw was found in the way KVM handled guest time updates when the
buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME
machine state register (MSR) crossed a page boundary. A privileged
guest user could use this flaw to crash the host or, potentially,
escalate their privileges, allowing them to execute arbitrary code at
the host kernel level. (CVE-2013-1796, Important)

* A potential use-after-free flaw was found in the way KVM handled
guest time updates when the GPA (guest physical address) the guest
registered by writing to the MSR_KVM_SYSTEM_TIME machine state
register (MSR) fell into a movable or removable memory region of the
hosting user-space process (by default, QEMU-KVM) on the host. If that
memory region is deregistered from KVM using
KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a
privileged guest user could potentially use this flaw to escalate
their privileges on the host. (CVE-2013-1797, Important)

* A flaw was found in the way KVM emulated IOAPIC (I/O Advanced
Programmable Interrupt Controller). A missing validation check in the
ioapic_read_indirect() function could allow a privileged guest user to
crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798, Important)

* A race condition in install_user_keyrings(), leading to a NULL
pointer dereference, was found in the key management facility. A
local, unprivileged user could use this flaw to cause a denial of
service. (CVE-2013-1792, Moderate)

* A NULL pointer dereference in the XFRM implementation could allow a
local user who has the CAP_NET_ADMIN capability to cause a denial of
service. (CVE-2013-1826, Moderate)

* A NULL pointer dereference in the Datagram Congestion Control
Protocol (DCCP) implementation could allow a local user to cause a
denial of service. (CVE-2013-1827, Moderate)

* Information leak flaws in the XFRM implementation could allow a
local user who has the CAP_NET_ADMIN capability to leak kernel stack
memory to user-space. (CVE-2012-6537, Low)

* Two information leak flaws in the Asynchronous Transfer Mode (ATM)
subsystem could allow a local, unprivileged user to leak kernel stack
memory to user-space. (CVE-2012-6546, Low)

* An information leak was found in the TUN/TAP device driver in the
networking implementation. A local user with access to a TUN/TAP
virtual interface could use this flaw to leak kernel stack memory to
user-space. (CVE-2012-6547, Low)

* An information leak in the Bluetooth implementation could allow a
local user who has the CAP_NET_ADMIN capability to leak kernel stack
memory to user-space. (CVE-2013-0349, Low)

* A use-after-free flaw was found in the tmpfs implementation. A local
user able to mount and unmount a tmpfs file system could use this flaw
to cause a denial of service or, potentially, escalate their
privileges. (CVE-2013-1767, Low)

* A NULL pointer dereference was found in the Linux kernel's USB
Inside Out Edgeport Serial Driver implementation. An attacker with
physical access to a system could use this flaw to cause a denial of
service. (CVE-2013-1774, Low)

Red Hat would like to thank Andrew Honig of Google for reporting
CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. CVE-2013-1792 was
discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.

See also :

https://oss.oracle.com/pipermail/el-errata/2013-April/003431.html

Solution :

Update the affected kernel packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false