35926

25505

26133

26139

26760

27436

27747

28626

http://support.avaya.com/elmodocs2/security/ASA-2007-474.htm

DSA-1479

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2

RHSA-2007:0705

RHSA-2007:0939

24134

USN-486-1

USN-489-1

USN-510-1

ADV-2007-2023

kernel-vfatioctls-dos(34669)

oval:org.mitre.oval:def:11674

From Red Hat Security Advisory 2007:0939 :

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel is the core of the operating system.

These updated kernel packages contain fixes for the following security issues :

* A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling.
(CVE-2007-3848, Important)

* A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important)

* A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important)

* A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate)

* A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate)

* A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate)

* A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate)

* A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low)

* A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool.
(CVE-2007-3105, Low)

Additionally, the following bugs were fixed :

* A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately.

* A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space;
and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information.

* A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor.
Please see the Red Hat Knowledgebase for more detailed information.

Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

From Red Hat Security Advisory 2007:0705 :

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important)

* a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important)

* a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important)

* flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important)

* a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate)

* a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine. (CVE-2007-1217, Moderate)

* a flaw in the cpuset support that allowed a local user to obtain sensitive information from kernel memory. To exploit this the cpuset filesystem would have to already be mounted. (CVE-2007-2875, Moderate)

* a flaw in the CIFS handling of the mount option 'sec=' that didn't enable integrity checking and didn't produce any error message.
(CVE-2007-3843, Low)

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.

- A flaw was found in the handling of process death     signals. This allowed a local user to send arbitrary     signals to the suid-process executed by that user. A     successful exploitation of this flaw depends on the     structure of the suid-program and its signal handling.
    (CVE-2007-3848, Important)

  - A flaw was found in the CIFS file system. This could     cause the umask values of a process to not be honored on     CIFS file systems where UNIX extensions are supported.
    (CVE-2007-3740, Important)

  - A flaw was found in the VFAT compat ioctl handling on     64-bit systems. This allowed a local user to corrupt a     kernel_dirent struct and cause a denial of service.
    (CVE-2007-2878, Important)

  - A flaw was found in the Advanced Linux Sound     Architecture (ALSA). A local user who had the ability to     read the /proc/driver/snd-page-alloc file could see     portions of kernel memory. (CVE-2007-4571, Moderate)

  - A flaw was found in the aacraid SCSI driver. This     allowed a local user to make ioctl calls to the driver     that should be restricted to privileged users.
    (CVE-2007-4308, Moderate)

  - A flaw was found in the stack expansion when using the     hugetlb kernel on PowerPC systems. This allowed a local     user to cause a denial of service. (CVE-2007-3739,     Moderate)

  - A flaw was found in the handling of zombie processes. A     local user could create processes that would not be     properly reaped which could lead to a denial of service.
    (CVE-2006-6921, Moderate)

  - A flaw was found in the CIFS file system handling. The     mount option 'sec=' did not enable integrity checking or     produce an error message if used. (CVE-2007-3843, Low)

  - A flaw was found in the random number generator     implementation that allowed a local user to cause a     denial of service or possibly gain privileges. This flaw     could be exploited if the root user raised the default     wakeup threshold over the size of the output pool.
    (CVE-2007-3105, Low)

Additionally, the following bugs were fixed :

  - A flaw was found in the kernel netpoll code, creating a     potential deadlock condition. If the xmit_lock for a     given network interface is held, and a subsequent     netpoll event is generated from within the lock owning     context (a console message for example), deadlock on     that cpu will result, because the netpoll code will     attempt to re-acquire the xmit_lock. The fix is to, in     the netpoll code, only attempt to take the lock, and     fail if it is already acquired (rather than block on     it), and queue the message to be sent for later     delivery. Any user of netpoll code in the kernel     (netdump or netconsole services), is exposed to this     problem, and should resolve the issue by upgrading to     this kernel release immediately.

  - A flaw was found where, under 64-bit mode (x86_64), AMD     processors were not able to address greater than a     40-bit physical address space; and Intel processors were     only able to address up to a 36-bit physical address     space. The fix is to increase the physical addressing     for an AMD processor to 48 bits, and an Intel processor     to 38 bits.

  - A flaw was found in the xenU kernel that may prevent a     paravirtualized guest with more than one CPU from     starting when running under an Scientific Linux 5.1     hypervisor. The fix is to allow your Scientific Linux 4     Xen SMP guests to boot under a 5.1 hypervisor.

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important)

* a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important)

* a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important)

* flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important)

* a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate)

* a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine. (CVE-2007-1217, Moderate)

* a flaw in the cpuset support that allowed a local user to obtain sensitive information from kernel memory. To exploit this the cpuset filesystem would have to already be mounted. (CVE-2007-2875, Moderate)

* a flaw in the CIFS handling of the mount option 'sec=' that didn't enable integrity checking and didn't produce any error message.
(CVE-2007-3843, Low)

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel is the core of the operating system.

These updated kernel packages contain fixes for the following security issues :

* A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling.
(CVE-2007-3848, Important)

* A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important)

* A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important)

* A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate)

* A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate)

* A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate)

* A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate)

* A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low)

* A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool.
(CVE-2007-3105, Low)

Additionally, the following bugs were fixed :

* A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately.

* A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space;
and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information.

* A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor.
Please see the Red Hat Knowledgebase for more detailed information.

Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-2878     Bart Oldeman reported a denial of service (DoS) issue in     the VFAT filesystem that allows local users to corrupt a     kernel structure resulting in a system crash. This is     only an issue for systems which make use of the VFAT     compat ioctl interface, such as systems running an     'amd64' flavor kernel.

  - CVE-2007-4571     Takashi Iwai supplied a fix for a memory leak in the     snd_page_alloc module. Local users could exploit this     issue to obtain sensitive information from the kernel.

  - CVE-2007-6151     ADLAB discovered a possible memory overrun in the ISDN     subsystem that may permit a local user to overwrite     kernel memory by issuing ioctls with unterminated data.

  - CVE-2008-0001     Bill Roman of Datalight noticed a coding error in the     linux VFS subsystem that, under certain conditions, can     allow local users to remove directories for which they     should not have removal privileges.

These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-17etch1.

A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525)

An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875)

Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876)

Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878)

A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104)

A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105)

A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513)

Zhongling Wen discovered that the h323 conntrack handler did not correctly handle certain bitfields. A remote attacker could send a specially crafted packet and cause a denial of service.
(CVE-2007-3642)

A flaw was discovered in the CIFS mount security checking. Remote attackers could spoof CIFS network traffic, which could lead a client to trust the connection. (CVE-2007-3843)

It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848)

The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851)

It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was discovered in dvb ULE decapsulation. A remote attacker could send a specially crafted message and cause a denial of service.
(CVE-2006-4623)

The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode.
(CVE-2006-7203)

The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005)

Due to an variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data.
(CVE-2007-1000)

Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)

A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861)

The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers.
(CVE-2007-2453)

A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525)

An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875)

Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876)

Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878)

A flaw was discovered in the cluster manager. A remote attacker could connect to the DLM port and block further DLM operations.
(CVE-2007-3380)

A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode.
(CVE-2006-7203)

The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005)

Due to a variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data.
(CVE-2007-1000)

Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)

A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861)

A flaw was discovered in the IPv6 stack's handling of type 0 route headers. By sending a specially crafted IPv6 packet, a remote attacker could cause a denial of service between two IPv6 hosts.
(CVE-2007-2242)

The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers.
(CVE-2007-2453)

A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525)

An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875)

Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876)

Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2007-0939.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2007-0705.

ID	Name	Product	Family	Severity
67580	Oracle Linux 4 : kernel (ELSA-2007-0939)	Nessus	Oracle Linux Local Security Checks	medium
67543	Oracle Linux 5 : kernel (ELSA-2007-0705)	Nessus	Oracle Linux Local Security Checks	medium
60280	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
43648	CentOS 5 : kernel (CESA-2007:0705)	Nessus	CentOS Local Security Checks	medium
37953	CentOS 4 : kernel (CESA-2007:0939)	Nessus	CentOS Local Security Checks	medium
30126	Debian DSA-1479-1 : linux-2.6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
28114	Ubuntu 7.04 : linux-source-2.6.20 vulnerabilities (USN-510-1)	Nessus	Ubuntu Local Security Checks	high
28090	Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-489-1)	Nessus	Ubuntu Local Security Checks	high
28087	Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-486-1)	Nessus	Ubuntu Local Security Checks	high
27616	RHEL 4 : kernel (RHSA-2007:0939)	Nessus	Red Hat Local Security Checks	medium
26050	RHEL 5 : kernel (RHSA-2007:0705)	Nessus	Red Hat Local Security Checks	medium
801439	CentOS RHSA-2007-0939 Security Check	Log Correlation Engine	Generic	high
801434	CentOS RHSA-2007-0705 Security Check	Log Correlation Engine	Generic	high

CVE-2007-2878

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

medium

high

high

high

high

medium

medium

high

high