24492

25228

25288

25392

25961

26620

DSA-1289

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.3

MDKSA-2007:171

SUSE-SA:2007:043

RHSA-2007:0347

22946

USN-464-1

ADV-2007-0944

oval:org.mitre.oval:def:9831

From Red Hat Security Advisory 2007:0347 :

Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* a flaw in the handling of IPv6 type 0 routing headers that allowed remote users to cause a denial of service that led to a network amplification between two routers (CVE-2007-2242, Important).

* a flaw in the nfnetlink_log netfilter module that allowed a local user to cause a denial of service (CVE-2007-1496, Important).

* a flaw in the flow list of listening IPv6 sockets that allowed a local user to cause a denial of service (CVE-2007-1592, Important).

* a flaw in the handling of netlink messages that allowed a local user to cause a denial of service (infinite recursion) (CVE-2007-1861, Important).

* a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access (CVE-2007-2172, Important).

* a flaw in the nf_conntrack netfilter module for IPv6 that allowed remote users to bypass certain netfilter rules using IPv6 fragments (CVE-2007-1497, Moderate).

In addition to the security issues described above, fixes for the following have been included :

* a regression in ipv6 routing.

* an error in memory initialization that caused gdb to output inaccurate backtraces on ia64.

* the nmi watchdog timeout was updated from 5 to 30 seconds.

* a flaw in distributed lock management that could result in errors during virtual machine migration.

* an omitted include in kernel-headers that led to compile failures for some packages.

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.

These new kernel packages contain fixes for the following security issues :

  - a flaw in the handling of IPv6 type 0 routing headers     that allowed remote users to cause a denial of service     that led to a network amplification between two routers     (CVE-2007-2242, Important).

  - a flaw in the nfnetlink_log netfilter module that     allowed a local user to cause a denial of service     (CVE-2007-1496, Important).

  - a flaw in the flow list of listening IPv6 sockets that     allowed a local user to cause a denial of service     (CVE-2007-1592, Important).

  - a flaw in the handling of netlink messages that allowed     a local user to cause a denial of service (infinite     recursion) (CVE-2007-1861, Important).

  - a flaw in the IPv4 forwarding base that allowed a local     user to cause an out-of-bounds access (CVE-2007-2172,     Important).

  - a flaw in the nf_conntrack netfilter module for IPv6     that allowed remote users to bypass certain netfilter     rules using IPv6 fragments (CVE-2007-1497, Moderate).

In addition to the security issues described above, fixes for the following have been included :

  - a regression in ipv6 routing.

  - an error in memory initialization that caused gdb to     output inaccurate backtraces on ia64.

  - the nmi watchdog timeout was updated from 5 to 30     seconds.

  - a flaw in distributed lock management that could result     in errors during virtual machine migration.

  - an omitted include in kernel-headers that led to compile     failures for some packages.

Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* a flaw in the handling of IPv6 type 0 routing headers that allowed remote users to cause a denial of service that led to a network amplification between two routers (CVE-2007-2242, Important).

* a flaw in the nfnetlink_log netfilter module that allowed a local user to cause a denial of service (CVE-2007-1496, Important).

* a flaw in the flow list of listening IPv6 sockets that allowed a local user to cause a denial of service (CVE-2007-1592, Important).

* a flaw in the handling of netlink messages that allowed a local user to cause a denial of service (infinite recursion) (CVE-2007-1861, Important).

* a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access (CVE-2007-2172, Important).

* a flaw in the nf_conntrack netfilter module for IPv6 that allowed remote users to bypass certain netfilter rules using IPv6 fragments (CVE-2007-1497, Moderate).

In addition to the security issues described above, fixes for the following have been included :

* a regression in ipv6 routing.

* an error in memory initialization that caused gdb to output inaccurate backtraces on ia64.

* the nmi watchdog timeout was updated from 5 to 30 seconds.

* a flaw in distributed lock management that could result in errors during virtual machine migration.

* an omitted include in kernel-headers that led to compile failures for some packages.

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.

Philipp Richter discovered that the AppleTalk protocol handler did not sufficiently verify the length of packets. By sending a crafted AppleTalk packet, a remote attacker could exploit this to crash the kernel. (CVE-2007-1357)

Gabriel Campana discovered that the do_ipv6_setsockopt() function did not sufficiently verifiy option values for IPV6_RTHDR. A local attacker could exploit this to trigger a kernel crash. (CVE-2007-1388)

A Denial of Service vulnerability was discovered in the nfnetlink_log() netfilter function. A remote attacker could exploit this to trigger a kernel crash. (CVE-2007-1496)

The connection tracking module for IPv6 did not properly handle the status field when reassembling fragmented packets, so that the final packet always had the 'established' state. A remote attacker could exploit this to bypass intended firewall rules. (CVE-2007-1497)

Masayuki Nakagawa discovered an error in the flowlabel handling of IPv6 network sockets. A local attacker could exploit this to crash the kernel. (CVE-2007-1592)

The do_dccp_getsockopt() function did not sufficiently verify the optlen argument. A local attacker could exploit this to read kernel memory (which might expose sensitive data) or cause a kernel crash.
This only affects Ubuntu 7.04. (CVE-2007-1730)

The IPv4 and DECnet network protocol handlers incorrectly declared an array variable so that it became smaller than intended. By sending crafted packets over a netlink socket, a local attacker could exploit this to crash the kernel. (CVE-2007-2172).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This kernel update fixes the following security problems :

  - CVE-2007-1861: The nl_fib_lookup function in     net/ipv4/fib_frontend.c allows attackers to cause a     denial of service (kernel panic) via NETLINK_FIB_LOOKUP     replies, which trigger infinite recursion and a stack     overflow.

  - CVE-2007-1496: nfnetlink_log in netfilter allows     attackers to cause a denial of service (crash) via     unspecified vectors involving the (1) nfulnl_recv_config     function, (2) using 'multiple packets per netlink     message', and (3) bridged packets, which trigger a NULL     pointer dereference.

  - CVE-2007-1497: nf_conntrack in netfilter does not set     nfctinfo during reassembly of fragmented packets, which     leaves the default value as IP_CT_ESTABLISHED and might     allow remote attackers to bypass certain rulesets using     IPv6 fragments.

    Please note that the connection tracking option for IPv6     is not enabled in any currently shipping SUSE Linux     kernel, so it does not affect SUSE Linux default     kernels.

  - CVE-2007-2242: The IPv6 protocol allows remote attackers     to cause a denial of service via crafted IPv6 type 0     route headers (IPV6_RTHDR_TYPE_0) that create network     amplification between two routers.

    The behaviour has been disabled by default, and the     patch introduces a new sysctl with which the     administrator can reenable it again.

  - CVE-2006-7203: The compat_sys_mount function in     fs/compat.c allows local users to cause a denial of     service (NULL pointer dereference and oops) by mounting     a smbfs file system in compatibility mode ('mount -t     smbfs').

  - CVE-2007-2453: Seeding of the kernel random generator on     boot did not work correctly due to a programming mistake     and so the kernel might have more predictable random     numbers than assured.

  - CVE-2007-2876: A NULL pointer dereference in SCTP     connection tracking could be caused by a remote attacker     by sending specially crafted packets. Note that this     requires SCTP set-up and active to be exploitable.

and the following non security bugs :

    - patches.fixes/cpufreq_fix_limited_on_battery.patch:
      Fix limited freq when booted on battery. [#231107]

    - patches.fixes/usb-keyspan-regression-fix.patch: USB:
      keyspan regression fix [#240919]

  - -     patches.fixes/hpt366-dont-check-enablebits-for-hpt36x.pa     tch: hpt366: don't check enablebits for HPT36x [#278696]

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The Linux kernel did not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allowed local users to cause a denial of service (process crash) (CVE-2006-5755).

The compat_sys_mount function in fs/compat.c allowed local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode (CVE-2006-7203).

The nfnetlink_log function in netfilter allowed an attacker to cause a denial of service (crash) via unspecified vectors which would trigger a NULL pointer dereference (CVE-2007-1496).

The nf_conntrack function in netfilter did not set nfctinfo during reassembly of fragmented packets, which left the default value as IP_CT_ESTABLISHED and could allow remote attackers to bypass certain rulesets using IPv6 fragments (CVE-2007-1497).

The netlink functionality did not properly handle NETLINK_FIB_LOOKUP replies, which allowed a remote attacker to cause a denial of service (resource consumption) via unspecified vectors, probably related to infinite recursion (CVE-2007-1861).

A typo in the Linux kernel caused RTA_MAX to be used as an array size instead of RTN_MAX, which lead to an out of bounds access by certain functions (CVE-2007-2172).

The IPv6 protocol allowed remote attackers to cause a denial of service via crafted IPv6 type 0 route headers that create network amplification between two routers (CVE-2007-2242).

The random number feature did not properly seed pools when there was no entropy, or used an incorrect cast when extracting entropy, which could cause the random number generator to provide the same values after reboots on systems without an entropy source (CVE-2007-2453).

A memory leak in the PPPoE socket implementation allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized (CVE-2007-2525).

An integer underflow in the cpuset_tasks_read function, when the cpuset filesystem is mounted, allowed local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file (CVE-2007-2875).

The sctp_new function in netfilter allowed remote attackers to cause a denial of service by causing certain invalid states that triggered a NULL pointer dereference (CVE-2007-2876).

In addition to these security fixes, other fixes have been included such as :

  - Fix crash on netfilter when nfnetlink_log is used on     certain hooks on packets forwarded to or from a bridge

  - Fixed busy sleep on IPVS which caused high load averages

    - Fixed possible race condition on ext[34]_link

    - Fixed missing braces in condition block that led to       wrong behaviour in NFS

  - Fixed XFS lock deallocation that resulted in oops when     unmounting

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-1496     Michal Miroslaw reported a DoS vulnerability (crash) in     netfilter. A remote attacker can cause a NULL pointer     dereference in the nfnetlink_log function.

  - CVE-2007-1497     Patrick McHardy reported an vulnerability in netfilter     that may allow attackers to bypass certain firewall     rules. The nfctinfo value of reassembled IPv6 packet     fragments were incorrectly initialized to 0 which     allowed these packets to become tracked as ESTABLISHED.

  - CVE-2007-1861     Jaco Kroon reported a bug in which NETLINK_FIB_LOOKUP     packages were incorrectly routed back to the kernel     resulting in an infinite recursion condition. Local     users can exploit this behavior to cause a DoS (crash).

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2007-0347.

ID	Name	Product	Family	Severity
67495	Oracle Linux 5 : kernel (ELSA-2007-0347)	Nessus	Oracle Linux Local Security Checks	high
60181	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43641	CentOS 5 : kernel (CESA-2007:0347)	Nessus	CentOS Local Security Checks	high
28064	Ubuntu 6.06 LTS / 6.10 / 7.04 : linux-source-2.6.15/2.6.17/2.6.20 vulnerabilities (USN-464-1)	Nessus	Ubuntu Local Security Checks	high
27295	openSUSE 10 Security Update : kernel (kernel-3760)	Nessus	SuSE Local Security Checks	high
25968	Mandrake Linux Security Advisory : kernel (MDKSA-2007:171)	Nessus	Mandriva Local Security Checks	high
25333	RHEL 5 : kernel (RHSA-2007:0347)	Nessus	Red Hat Local Security Checks	high
25226	Debian DSA-1289-1 : linux-2.6 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
801427	CentOS RHSA-2007-0347 Security Check	Log Correlation Engine	Generic	high

CVE-2007-1496

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

medium

high