http://labs.mwrinfosecurity.com/files/Advisories/mwri_linux-usb-buffer-overflow_2009-10-29.pdf

https://bugzilla.redhat.com/show_bug.cgi?id=722393

The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs.

The Following security issues have been fixed :

CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password.

CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.

CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.

CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.

CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.

CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.

CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.

CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.

CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application.

CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.

CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application.

CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.

CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.

CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.

CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.

CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.

CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.

CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.

CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.

CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.

CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.

CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and 'updating a negative key into a fully instantiated key.'

CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.

CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.

CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.

CVE-2011-4077: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel, when CONFIG_XFS_DEBUG is disabled, allowed local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.

CVE-2011-4324: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.

CVE-2011-4330: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.

CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-2525: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel did not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-3209: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel on the x86 platform allowed local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating 0 character.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-2203: The hfs_find_init function in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.

CVE-2009-4067: A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash.

CVE-2011-3363: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel did not properly handle DFS referrals, which allowed remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.

CVE-2011-2484: The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.

CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value.'

CVE-2010-4249: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.

The following bugs have been fixed :

patches.fixes/allow-executables-larger-than-2GB.patch: Allow executables larger than 2GB (bnc#836856).

cio: prevent kernel panic after unexpected I/O interrupt (bnc#649868,LTC#67975).

  - cio: Add timeouts for internal IO     (bnc#701550,LTC#72691). kernel: first time swap use     results in heavy swapping (bnc#701550,LTC#73132).

    qla2xxx: Do not be so verbose on underrun detected

    patches.arch/i386-run-tsc-calibration-5-times.patch: Fix     the patch, the logic was wrong (bnc#537165, bnc#826551).

    xfs: Do not reclaim new inodes in xfs_sync_inodes()     (bnc#770980 bnc#811752).

    kbuild: Fix gcc -x syntax (bnc#773831).

    e1000e: stop cleaning when we reach tx_ring->next_to_use     (bnc#762825).

    Fix race condition about network device name allocation     (bnc#747576).

    kdump: bootmem map over crash reserved region     (bnc#749168, bnc#722400, bnc#742881).

    tcp: fix race condition leading to premature termination     of sockets in FIN_WAIT2 state and connection being reset     (bnc#745760)

    tcp: drop SYN+FIN messages (bnc#765102).

    net/linkwatch: Handle jiffies wrap-around (bnc#740131).

    patches.fixes/vm-dirty-bytes: Provide     /proc/sys/vm/dirty_{background_,}bytes for tuning     (bnc#727597).

    ipmi: Fix deadlock in start_next_msg() (bnc#730749).

    cpu-hotplug: release workqueue_mutex properly on CPU     hot-remove (bnc#733407).

    libiscsi: handle init task failures (bnc#721351).

    NFS/sunrpc: do not use a credential with extra groups     (bnc#725878).

    x86_64: fix reboot hang when 'reboot=b' is passed to the     kernel (bnc#721267).

    nf_nat: do not add NAT extension for confirmed     conntracks (bnc#709213).

    xfs: fix memory reclaim recursion deadlock on locked     inode buffer (bnc#699355 bnc#699354 bnc#721830).

    ipmi: do not grab locks in run-to-completion mode     (bnc#717421).

    cciss: do not attempt to read from a write-only register     (bnc#683101).

    qla2xxx: Disable MSI-X initialization (bnc#693513).

    Allow balance_dirty_pages to help other filesystems     (bnc#709369).

  - nfs: fix congestion control (bnc#709369).

  - NFS: Separate metadata and page cache revalidation     mechanisms (bnc#709369). knfsd: nfsd4: fix laundromat     shutdown race (bnc#752556).

    x87: Do not synchronize TSCs across cores if they     already should be synchronized by HW (bnc#615418     bnc#609220).

    reiserfs: Fix int overflow while calculating free space     (bnc#795075).

    af_unix: limit recursion level (bnc#656153).

    bcm43xx: netlink deadlock fix (bnc#850241).

    jbd: Issue cache flush after checkpointing (bnc#731770).

    cfq: Fix infinite loop in cfq_preempt_queue()     (bnc#724692).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details.

From Red Hat Security Advisory 2011:1386 :

Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important)

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A local attacker could use mount.ecryptfs_private to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed. (CVE-2011-1833, Moderate)

* A flaw in the taskstats subsystem could allow a local, unprivileged user to cause excessive CPU time and memory use. (CVE-2011-2484, Moderate)

* Mapping expansion handling could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2496, Moderate)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* RHSA-2011:1065 introduced a regression in the Ethernet bridge implementation. If a system had an interface in a bridge, and an attacker on the local network could send packets to that interface, they could cause a denial of service on that system. Xen hypervisor and KVM (Kernel-based Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942, Moderate)

* A flaw in the Xen hypervisor IOMMU error handling implementation could allow a privileged guest user, within a guest operating system that has direct control of a PCI device, to cause performance degradation on the host and possibly cause it to hang. (CVE-2011-3131, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the kernel's clock implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-3209, Moderate)

* Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.
(CVE-2011-3347, Moderate)

* A flaw in the auerswald USB driver could allow a local, unprivileged user to cause a denial of service or escalate their privileges by inserting a specially crafted USB device. (CVE-2009-4067, Low)

* A flaw in the Trusted Platform Module (TPM) implementation could allow a local, unprivileged user to leak information to user space.
(CVE-2011-1160, Low)

* A local, unprivileged user could possibly mount a CIFS share that requires authentication without knowing the correct password if the mount was already mounted by another local user. (CVE-2011-1585, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; the Ubuntu Security Team for reporting CVE-2011-1833; Vasiliy Kulikov of Openwall for reporting CVE-2011-2484; Robert Swiecki for reporting CVE-2011-2496; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yasuaki Ishimatsu for reporting CVE-2011-3209; Somnath Kotur for reporting CVE-2011-3347; Rafael Dominguez Vega for reporting CVE-2009-4067; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

  - The maximum file offset handling for ext4 file systems     could allow a local, unprivileged user to cause a denial     of service. (CVE-2011-2695, Important)

  - IPv6 fragment identification value generation could     allow a remote attacker to disrupt a target system's     networking, preventing legitimate users from accessing     its services. (CVE-2011-2699, Important)

  - A malicious CIFS (Common Internet File System) server     could send a specially crafted response to a directory     read request that would result in a denial of service or     privilege escalation on a system that has a CIFS share     mounted. (CVE-2011-3191, Important)

  - A local attacker could use mount.ecryptfs_private to     mount (and then access) a directory they would otherwise     not have access to. Note: To correct this issue, a     ecryptfs-utils update must also be installed.
    (CVE-2011-1833, Moderate)

  - A flaw in the taskstats subsystem could allow a local,     unprivileged user to cause excessive CPU time and memory     use. (CVE-2011-2484, Moderate)

  - Mapping expansion handling could allow a local,     unprivileged user to cause a denial of service.
    (CVE-2011-2496, Moderate)

  - GRO (Generic Receive Offload) fields could be left in an     inconsistent state. An attacker on the local network     could use this flaw to cause a denial of service. GRO is     enabled by default in all network drivers that support     it. (CVE-2011-2723, Moderate)

  - A previous update introduced a regression in the     Ethernet bridge implementation. If a system had an     interface in a bridge, and an attacker on the local     network could send packets to that interface, they could     cause a denial of service on that system. Xen hypervisor     and KVM (Kernel-based Virtual Machine) hosts often     deploy bridge interfaces. (CVE-2011-2942, Moderate)

  - A flaw in the Xen hypervisor IOMMU error handling     implementation could allow a privileged guest user,     within a guest operating system that has direct control     of a PCI device, to cause performance degradation on the     host and possibly cause it to hang. (CVE-2011-3131,     Moderate)

  - IPv4 and IPv6 protocol sequence number and fragment ID     generation could allow a man-in-the-middle attacker to     inject packets and possibly hijack connections. Protocol     sequence number and fragment IDs are now more random.
    (CVE-2011-3188, Moderate)

  - A flaw in the kernel's clock implementation could allow     a local, unprivileged user to cause a denial of service.
    (CVE-2011-3209, Moderate)

  - Non-member VLAN (virtual LAN) packet handling for     interfaces in promiscuous mode and also using the be2net     driver could allow an attacker on the local network to     cause a denial of service. (CVE-2011-3347, Moderate)

  - A flaw in the auerswald USB driver could allow a local,     unprivileged user to cause a denial of service or     escalate their privileges by inserting a specially     crafted USB device. (CVE-2009-4067, Low)

  - A flaw in the Trusted Platform Module (TPM)     implementation could allow a local, unprivileged user to     leak information to user space. (CVE-2011-1160, Low)

  - A local, unprivileged user could possibly mount a CIFS     share that requires authentication without knowing the     correct password if the mount was already mounted by     another local user. (CVE-2011-1585, Low)

This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel.

The following security issues have been fixed :

  - A USB string descriptor overflow in the auerwald USB     driver was fixed, which could be used by physically     proximate attackers to cause a kernel crash.
    (CVE-2009-4067)

  - Always check the path in CIFS mounts to avoid     interesting filesystem path interaction issues and     potential crashes. (CVE-2011-3363)

  - A malicious CIFS server could cause a integer overflow     on the local machine on directory index operations, in     turn causing memory corruption. (CVE-2011-3191)

  - The is_gpt_valid function in fs/partitions/efi.c in the     Linux kernel did not check the size of an Extensible     Firmware Interface (EFI) GUID Partition Table (GPT)     entry, which allowed physically proximate attackers to     cause a denial of service (heap-based buffer overflow     and OOPS) or obtain sensitive information from kernel     heap memory by connecting a crafted GPT storage device,     a different vulnerability than CVE-2011-1577.
    (CVE-2011-1776)

The following non-security issues have been fixed :

  - md: fix deadlock in md/raid1 and md/raid10 when handling     a read error. (bnc#628343)

  - md: fix possible raid1/raid10 deadlock on read error     during resync. (bnc#628343)

  - Add timeo parameter to /proc/mounts for nfs filesystems.
    (bnc#616256)

  - virtio: indirect ring entries     (VIRTIO_RING_F_INDIRECT_DESC). (bnc#713876)

  - virtio: teach virtio_has_feature() about transport     features. (bnc#713876)

  - nf_nat: do not add NAT extension for confirmed     conntracks. (bnc#709213)

  - 8250: Oxford Semiconductor Devices. (bnc#717126)

  - 8250_pci: Add support for the Digi/IBM PCIe 2-port     Adapter. (bnc#717126)

  - 8250: Fix capabilities when changing the port type.
    (bnc#717126)

  - 8250: Add EEH support. (bnc#717126)

  - xfs: fix memory reclaim recursion deadlock on locked     inode buffer. (bnc#699355 / bnc#699354 / bnc#721830)

  - ipmi: do not grab locks in run-to-completion mode.
    (bnc#717421)

  - cifs: add fallback in is_path_accessible for old     servers. (bnc#718028)

  - cciss: do not attempt to read from a write-only     register. (bnc#683101)

  - s390: kernel: System hang if hangcheck timer expires     (bnc#712009,LTC#74157).

  - s390: kernel: NSS creation with initrd fails     (bnc#712009,LTC#74207).

  - s390: kernel: remove code to handle topology interrupts     (bnc#712009,LTC#74440).

  - xen: Added 1083-kbdfront-absolute-coordinates.patch.
    (bnc#717585)

  - acpi: Use a spinlock instead of mutex to guard gbl_lock     access. (bnc#707439)

  - Allow balance_dirty_pages to help other filesystems.
    (bnc#709369)

  - nfs: fix congestion control. (bnc#709369)

  - NFS: Separate metadata and page cache revalidation     mechanisms. (bnc#709369)

  - jbd: Fix oops in journal_remove_journal_head().
    (bnc#694315)

  - xen/blkfront: avoid NULL de-reference in CDROM ioctl     handling. (bnc#701355)

  - xen/x86: replace order-based range checking of M2P table     by linear one.

  - xen/x86: use dynamically adjusted upper bound for     contiguous regions. (bnc#635880)

  - Fix type in     patches.fixes/libiscsi-dont-run-scsi-eh-if-iscsi-task-is
    -making-progress.

  - s390: cio: Add timeouts for internal IO     (bnc#701550,LTC#72691).

  - s390: kernel: first time swap use results in heavy     swapping (bnc#701550,LTC#73132).

  - s390: qeth: wrong number of output queues for     HiperSockets (bnc#701550,LTC#73814).

It was discovered that the Auerswald usb driver incorrectly handled lengths of the USB string descriptors. A local attacker with physical access could insert a specially crafted USB device and gain root privileges. (CVE-2009-4067)

It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573)

Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494)

Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495)

Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important)

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A local attacker could use mount.ecryptfs_private to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed. (CVE-2011-1833, Moderate)

* A flaw in the taskstats subsystem could allow a local, unprivileged user to cause excessive CPU time and memory use. (CVE-2011-2484, Moderate)

* Mapping expansion handling could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2496, Moderate)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* RHSA-2011:1065 introduced a regression in the Ethernet bridge implementation. If a system had an interface in a bridge, and an attacker on the local network could send packets to that interface, they could cause a denial of service on that system. Xen hypervisor and KVM (Kernel-based Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942, Moderate)

* A flaw in the Xen hypervisor IOMMU error handling implementation could allow a privileged guest user, within a guest operating system that has direct control of a PCI device, to cause performance degradation on the host and possibly cause it to hang. (CVE-2011-3131, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the kernel's clock implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-3209, Moderate)

* Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service.
(CVE-2011-3347, Moderate)

* A flaw in the auerswald USB driver could allow a local, unprivileged user to cause a denial of service or escalate their privileges by inserting a specially crafted USB device. (CVE-2009-4067, Low)

* A flaw in the Trusted Platform Module (TPM) implementation could allow a local, unprivileged user to leak information to user space.
(CVE-2011-1160, Low)

* A local, unprivileged user could possibly mount a CIFS share that requires authentication without knowing the correct password if the mount was already mounted by another local user. (CVE-2011-1585, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; the Ubuntu Security Team for reporting CVE-2011-1833; Vasiliy Kulikov of Openwall for reporting CVE-2011-2484; Robert Swiecki for reporting CVE-2011-2496; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yasuaki Ishimatsu for reporting CVE-2011-3209; Somnath Kotur for reporting CVE-2011-3347; Rafael Dominguez Vega for reporting CVE-2009-4067; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-4067     Rafael Dominguez Vega of MWR InfoSecurity reported an     issue in the auerswald module, a driver for Auerswald     PBX/System Telephone USB devices. Attackers with     physical access to a system's USB ports could obtain     elevated privileges using a specially crafted USB     device.

  - CVE-2011-0712     Rafael Dominguez Vega of MWR InfoSecurity reported an     issue in the caiaq module, a USB driver for Native     Instruments USB audio devices. Attackers with physical     access to a system's USB ports could obtain elevated     privileges using a specially crafted USB device.

  - CVE-2011-1020     Kees Cook discovered an issue in the /proc filesystem     that allows local users to gain access to sensitive     process information after execution of a setuid binary.

  - CVE-2011-2209     Dan Rosenberg discovered an issue in the osf_sysinfo()     system call on the alpha architecture. Local users could     obtain access to sensitive kernel memory.

  - CVE-2011-2211     Dan Rosenberg discovered an issue in the osf_wait4()     system call on the alpha architecture permitting local     users to gain elevated privileges.

  - CVE-2011-2213     Dan Rosenberg discovered an issue in the INET socket     monitoring interface. Local users could cause a denial     of service by injecting code and causing the kernel to     execute an infinite loop.

  - CVE-2011-2484     Vasiliy Kulikov of Openwall discovered that the number     of exit handlers that a process can register is not     capped, resulting in local denial of service through     resource exhaustion (CPU time and memory).

  - CVE-2011-2491     Vasily Averin discovered an issue with the NFS locking     implementation. A malicious NFS server can cause a     client to hang indefinitely in an unlock call.

  - CVE-2011-2492     Marek Kroemeke and Filip Palian discovered that     uninitialized struct elements in the Bluetooth subsystem     could lead to a leak of sensitive kernel memory through     leaked stack memory.

  - CVE-2011-2495     Vasiliy Kulikov of Openwall discovered that the io file     of a process' proc directory was world-readable,     resulting in local information disclosure of information     such as password lengths.

  - CVE-2011-2496     Robert Swiecki discovered that mremap() could be abused     for local denial of service by triggering a BUG_ON     assert.

  - CVE-2011-2497     Dan Rosenberg discovered an integer underflow in the     Bluetooth subsystem, which could lead to denial of     service or privilege escalation.

  - CVE-2011-2525     Ben Pfaff reported an issue in the network scheduling     code. A local user could cause a denial of service (NULL     pointer dereference) by sending a specially crafted     netlink message.

  - CVE-2011-2928     Timo Warns discovered that insufficient validation of Be     filesystem images could lead to local denial of service     if a malformed filesystem image is mounted.

  - CVE-2011-3188     Dan Kaminsky reported a weakness of the sequence number     generation in the TCP protocol implementation. This can     be used by remote attackers to inject packets into an     active session.

  - CVE-2011-3191     Darren Lavender reported an issue in the Common Internet     File System (CIFS). A malicious file server could cause     memory corruption leading to a denial of service.

This update also includes a fix for a regression introduced with the previous security fix for CVE-2011-1768 (Debian bug #633738).

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2011-1386.

ID	Name	Product	Family	Severity
83603	SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1)	Nessus	SuSE Local Security Checks	high
79507	OracleVM 2.2 : kernel (OVMSA-2013-0039)	Nessus	OracleVM Local Security Checks	high
68375	Oracle Linux 5 : kernel (ELSA-2011-1386)	Nessus	Oracle Linux Local Security Checks	critical
61162	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
59160	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7811)	Nessus	SuSE Local Security Checks	critical
57214	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7812)	Nessus	SuSE Local Security Checks	critical
56583	Ubuntu 8.04 LTS : linux vulnerabilities (USN-1236-1)	Nessus	Ubuntu Local Security Checks	medium
56577	RHEL 5 : kernel (RHSA-2011:1386)	Nessus	Red Hat Local Security Checks	critical
56569	CentOS 5 : kernel (CESA-2011:1386)	Nessus	CentOS Local Security Checks	critical
56285	Debian DSA-2310-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
801510	CentOS RHSA-2011-1386 Security Check	Log Correlation Engine	Generic	high

CVE-2009-4067

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

critical

critical

critical

critical

medium

critical

critical

medium

high