The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0007 advisory.

    - [kvm] x86: zero kvm_vcpu_events->interrupt.pad (Marcelo Tosatti) [665471 665409] {CVE-2010-4525}

    email_6.RHSA-2011-0007 178L, 11970C written
    - [netdrv] igb: only use vlan_gro_receive if vlans are registered (Stefan Assmann) [652804 660192]     {CVE-2010-4263}
    - [kernel] posix-cpu-timers: workaround to suppress the problems with mt exec (Oleg Nesterov) [656267     656268] {CVE-2010-4248}
    - [fs] bio: take care not overflow page count when mapping/copying user data (Danny Feng) [652530 652531]     {CVE-2010-4162}
    - [net] can-bcm: fix minor heap overflow (Danny Feng) [651846 651847] {CVE-2010-3874}
    - [net] filter: make sure filters dont read uninitialized memory (Jiri Pirko) [651704 651705]     {CVE-2010-4158}
    - [net] inet_diag: Make sure we actually run the same bytecode we audited (Jiri Pirko) [651268 651269]     {CVE-2010-3880}
    - [v4l] ivtvfb: prevent reading uninitialized stack memory (Mauro Carvalho Chehab) [648832 648833]     {CVE-2010-4079}
    - [drm] via/ioctl.c: prevent reading uninitialized stack memory (Dave Airlie) [648718 648719]     {CVE-2010-4082}
    - [char] nozomi: clear data before returning to userspace on TIOCGICOUNT (Mauro Carvalho Chehab) [648705     648706] {CVE-2010-4077}
    - [serial] clean data before filling it on TIOCGICOUNT (Mauro Carvalho Chehab) [648702 648703]     {CVE-2010-4075}
    - [net] af_unix: limit unix_tot_inflight (Neil Horman) [656761 656762] {CVE-2010-4249}
    - [block] check for proper length of iov entries in blk_rq_map_user_iov() (Danny Feng) [652958 652959]     {CVE-2010-4163}
    - [net] Limit sendto()/recvfrom()/iovec total length to INT_MAX (Jiri Pirko) [651894 651895]     {CVE-2010-4160}
    - [net] bluetooth: Fix missing NULL check (Jarod Wilson) [655667 655668] {CVE-2010-4242}
    - [kernel] ipc: initialize structure memory to zero for compat functions (Danny Feng) [648694 648695]     {CVE-2010-4073}
    - [kernel] shm: fix information leak to userland (Danny Feng) [648688 648689] {CVE-2010-4072}
    - [fs] xfs: prevent reading uninitialized stack memory (Dave Chinner) [630808 630809] {CVE-2010-3078}
    - [net] fix rds_iovec page count overflow (Jiri Pirko) [647423 647424] {CVE-2010-3865}
    - [usb] serial/mos*: prevent reading uninitialized stack memory (Don Zickus) [648697 648698]     {CVE-2010-4074}
    - [kernel] ecryptfs_uid_hash() buffer overflow (Jerome Marchand) [626320 611388] {CVE-2010-2492}
    - [sound] seq/oss - Fix double-free at error path of snd_seq_oss_open() (Jaroslav Kysela) [630554 630555]     {CVE-2010-3080}
    - [netdrv] prevent reading uninitialized memory in hso driver (Thomas Graf) [633143 633144]     {CVE-2010-3298}
    - [fs] aio: check for multiplication overflow in do_io_submit (Jeff Moyer) [629450 629451] {CVE-2010-3067}
    - [net] fix info leak from kernel in ethtool operation (Neil Horman) [646727 646728] {CVE-2010-3861}
    - [net] packet: fix information leak to userland (Jiri Pirko) [649899 649900] {CVE-2010-3876}
    - [net] clean up info leak in act_police (Neil Horman) [636393 636394] {CVE-2010-3477}
    - [net] Fix priv escalation in rds protocol (Neil Horman) [642899 642900] {CVE-2010-3904}
    - [v4l] Remove compat code for VIDIOCSMICROCODE (Mauro Carvalho Chehab) [642472 642473] {CVE-2010-2963}
    - [kernel] tracing: do not allow llseek to set_ftrace_filter (Jiri Olsa) [631625 631626] {CVE-2010-3079}
    - [drm] fix ioctls infoleak (Danny Feng) [626319 621437] {CVE-2010-2803}
    - [netdrv] wireless extensions: fix kernel heap content leak (John Linville) [628437 628438]     {CVE-2010-2955}
    - [netdrv] niu: buffer overflow for ETHTOOL_GRXCLSRLALL (Danny Feng) [632071 632072] {CVE-2010-3084}
    - [virt] KVM: Fix fs/gs reload oops with invalid ldt (Avi Kivity) [639884 639885] {CVE-2010-3698}
    - [drm] i915: prevent arbitrary kernel memory write (Jerome Marchand) [637690 637691] {CVE-2010-2962}
    - [kernel] prevent heap corruption in snd_ctl_new() (Jerome Marchand) [638485 638486] {CVE-2010-3442}
    - [block] Fix pktcdvd ioctl dev_minor range check (Jerome Marchand) [638088 638089] {CVE-2010-3437}
    - [net] sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (Jiri Pirko) [640461 640462]     {CVE-2010-3705}
    - [net] sctp: Do not reset the packet during sctp_packet_config() (Jiri Pirko) [637681 637682]     {CVE-2010-3432}
    - [misc] make compat_alloc_user_space() incorporate the access_ok() (Xiaotian Feng) [634465 634466]     {CVE-2010-3081}
    - [x86] kernel: fix IA32 System Call Entry Point Vulnerability (Xiaotian Feng) [634451 634452]     {CVE-2010-3301}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435)

Dan Jacobson discovered that ThinkPad video output was not correctly access controlled. A local attacker could exploit this to hang the system, leading to a denial of service. (CVE-2010-3448)

It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698)

Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)

Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user.
(CVE-2010-3865)

Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873)

Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874)

Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3875)

Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)

Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3877)

Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)

Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4073)

Dan Rosenberg discovered that the USB subsystem did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4074)

Dan Rosenberg discovered that the SiS video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4078)

Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4079)

Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081)

Dan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082)

Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)

James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157)

Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges.
(CVE-2010-4160)

Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165)

Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169)

It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)

Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435)

Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy.
(CVE-2010-2943)

Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)

Dan Jacobson discovered that ThinkPad video output was not correctly access controlled. A local attacker could exploit this to hang the system, leading to a denial of service. (CVE-2010-3448)

It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698)

It was discovered that Xen did not correctly clean up threads. A local attacker in a guest system could exploit this to exhaust host system resources, leading to a denial of serivce. (CVE-2010-3699)

Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858)

Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)

Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873)

Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3875)

Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)

Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3877)

Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)

Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4072)

Dan Rosenberg discovered that the USB subsystem did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4074)

Dan Rosenberg discovered that the SiS video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4078)

Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4079)

Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081)

Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)

James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157)

Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges.
(CVE-2010-4160)

It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:0007 advisory.

    * Buffer overflow in eCryptfs. When /dev/ecryptfs has world writable     permissions (which it does not, by default, on Red Hat Enterprise Linux 6),     a local, unprivileged user could use this flaw to cause a denial of service     or possibly escalate their privileges. (CVE-2010-2492, Important)

    * Integer overflow in the RDS protocol implementation could allow a local,     unprivileged user to cause a denial of service or escalate their     privileges. (CVE-2010-3865, Important)

    * Missing boundary checks in the PPP over L2TP sockets implementation could     allow a local, unprivileged user to cause a denial of service or escalate     their privileges. (CVE-2010-4160, Important)

    * NULL pointer dereference in the igb driver. If both Single Root I/O     Virtualization (SR-IOV) and promiscuous mode were enabled on an interface     using igb, it could result in a denial of service when a tagged VLAN packet     is received on that interface. (CVE-2010-4263, Important)

    * Missing initialization flaw in the XFS file system implementation, and in     the network traffic policing implementation, could allow a local,     unprivileged user to cause an information leak. (CVE-2010-3078,     CVE-2010-3477, Moderate)

    * NULL pointer dereference in the Open Sound System compatible sequencer     driver could allow a local, unprivileged user with access to /dev/sequencer     to cause a denial of service. /dev/sequencer is only accessible to root and     users in the audio group by default. (CVE-2010-3080, Moderate)

    * Flaw in the ethtool IOCTL handler could allow a local user to cause an     information leak. (CVE-2010-3861, Moderate)

    * Flaw in bcm_connect() in the Controller Area Network (CAN) Broadcast     Manager. On 64-bit systems, writing the socket address may overflow the     procname character array. (CVE-2010-3874, Moderate)

    * Flaw in the module for monitoring the sockets of INET transport     protocols could allow a local, unprivileged user to cause a denial of     service. (CVE-2010-3880, Moderate)

    * Missing boundary checks in the block layer implementation could allow a     local, unprivileged user to cause a denial of service. (CVE-2010-4162,     CVE-2010-4163, CVE-2010-4668, Moderate)

    * NULL pointer dereference in the Bluetooth HCI UART driver could allow a     local, unprivileged user to cause a denial of service. (CVE-2010-4242,     Moderate)

    * Flaw in the Linux kernel CPU time clocks implementation for the POSIX     clock interface could allow a local, unprivileged user to cause a denial of     service. (CVE-2010-4248, Moderate)

    * Flaw in the garbage collector for AF_UNIX sockets could allow a local,     unprivileged user to trigger a denial of service. (CVE-2010-4249, Moderate)

    * Missing upper bound integer check in the AIO implementation could allow a     local, unprivileged user to cause an information leak. (CVE-2010-3067, Low)

    * Missing initialization flaws could lead to information leaks.
    (CVE-2010-3298, CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074,     CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081,     CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low)

    * Missing initialization flaw in KVM could allow a privileged host user     with access to /dev/kvm to cause an information leak. (CVE-2010-4525, Low)

    Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492;
    Thomas Pollet for reporting CVE-2010-3865; Dan Rosenberg for reporting     CVE-2010-4160, CVE-2010-3078, CVE-2010-3874, CVE-2010-4162, CVE-2010-4163,     CVE-2010-3298, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077,     CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083,     and CVE-2010-4158; Kosuke Tatsukawa for reporting CVE-2010-4263; Tavis     Ormandy for reporting CVE-2010-3080 and CVE-2010-3067; Kees Cook for     reporting CVE-2010-3861 and CVE-2010-4072; Nelson Elhage for reporting     CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; Vegard Nossum for     reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876; and     Stephan Mueller of atsec information security for reporting CVE-2010-4525.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2010-2963     Kees Cook discovered an issue in the v4l 32-bit     compatibility layer for 64-bit systems that allows local     users with /dev/video write permission to overwrite     arbitrary kernel memory, potentially leading to a     privilege escalation. On Debian systems, access to     /dev/video devices is restricted to members of the     'video' group by default.

  - CVE-2010-3067     Tavis Ormandy discovered an issue in the io_submit     system call. Local users can cause an integer overflow     resulting in a denial of service.

  - CVE-2010-3296     Dan Rosenberg discovered an issue in the cxgb network     driver that allows unprivileged users to obtain the     contents of sensitive kernel memory.

  - CVE-2010-3297     Dan Rosenberg discovered an issue in the eql network     driver that allows local users to obtain the contents of     sensitive kernel memory.

  - CVE-2010-3310     Dan Rosenberg discovered an issue in the ROSE socket     implementation. On systems with a rose device, local     users can cause a denial of service (kernel memory     corruption).

  - CVE-2010-3432     Thomas Dreibholz discovered an issue in the SCTP     protocol that permits a remote user to cause a denial of     service (kernel panic).

  - CVE-2010-3437     Dan Rosenberg discovered an issue in the pktcdvd driver.
    Local users with permission to open /dev/pktcdvd/control     can obtain the contents of sensitive kernel memory or     cause a denial of service. By default on Debian systems,     this access is restricted to members of the group     'cdrom'.

  - CVE-2010-3442     Dan Rosenberg discovered an issue in the ALSA sound     system. Local users with permission to open     /dev/snd/controlC0 can create an integer overflow     condition that causes a denial of service. By default on     Debian systems, this access is restricted to members of     the group 'audio'.

  - CVE-2010-3448     Dan Jacobson reported an issue in the thinkpad-acpi     driver. On certain Thinkpad systems, local users can     cause a denial of service (X.org crash) by reading     /proc/acpi/ibm/video.

  - CVE-2010-3477     Jeff Mahoney discovered an issue in the Traffic Policing     (act_police) module that allows local users to obtain     the contents of sensitive kernel memory.

  - CVE-2010-3705     Dan Rosenberg reported an issue in the HMAC processing     code in the SCTP protocol that allows remote users to     create a denial of service (memory corruption).

  - CVE-2010-3848     Nelson Elhage discovered an issue in the Econet     protocol. Local users can cause a stack overflow     condition with large msg->msgiovlen values that can     result in a denial of service or privilege escalation.

  - CVE-2010-3849     Nelson Elhage discovered an issue in the Econet     protocol. Local users can cause a denial of service     (oops) if a NULL remote addr value is passed as a     parameter to sendmsg().

  - CVE-2010-3850     Nelson Elhage discovered an issue in the Econet     protocol. Local users can assign econet addresses to     arbitrary interfaces due to a missing capabilities     check.

  - CVE-2010-3858     Brad Spengler reported an issue in the setup_arg_pages()     function. Due to a bounds-checking failure, local users     can create a denial of service (kernel oops).

  - CVE-2010-3859     Dan Rosenberg reported an issue in the TIPC protocol.
    When the tipc module is loaded, local users can gain     elevated privileges via the sendmsg() system call.

  - CVE-2010-3873     Dan Rosenberg reported an issue in the X.25 network     protocol. Local users can cause heap corruption,     resulting in a denial of service (kernel panic).

  - CVE-2010-3874     Dan Rosenberg discovered an issue in the Control Area     Network (CAN) subsystem on 64-bit systems. Local users     may be able to cause a denial of service (heap     corruption).

  - CVE-2010-3875     Vasiliy Kulikov discovered an issue in the AX.25     protocol. Local users can obtain the contents of     sensitive kernel memory.

  - CVE-2010-3876     Vasiliy Kulikov discovered an issue in the Packet     protocol. Local users can obtain the contents of     sensitive kernel memory.

  - CVE-2010-3877     Vasiliy Kulikov discovered an issue in the TIPC     protocol. Local users can obtain the contents of     sensitive kernel memory.

  - CVE-2010-3880     Nelson Elhage discovered an issue in the INET_DIAG     subsystem. Local users can cause the kernel to execute     unaudited INET_DIAG bytecode, resulting in a denial of     service.

  - CVE-2010-4072     Kees Cook discovered an issue in the System V shared     memory subsystem. Local users can obtain the contents of     sensitive kernel memory.

  - CVE-2010-4073     Dan Rosenberg discovered an issue in the System V shared     memory subsystem. Local users on 64-bit system can     obtain the contents of sensitive kernel memory via the     32-bit compatible semctl() system call.

  - CVE-2010-4074     Dan Rosenberg reported issues in the mos7720 and mos7840     drivers for USB serial converter devices. Local users     with access to these devices can obtain the contents of     sensitive kernel memory.

  - CVE-2010-4078     Dan Rosenberg reported an issue in the framebuffer     driver for SiS graphics chipsets (sisfb). Local users     with access to the framebuffer device can obtain the     contents of sensitive kernel memory via the     FBIOGET_VBLANK ioctl.

  - CVE-2010-4079     Dan Rosenberg reported an issue in the ivtvfb driver     used for the Hauppauge PVR-350 card. Local users with     access to the framebuffer device can obtain the contents     of sensitive kernel memory via the FBIOGET_VBLANK ioctl.

  - CVE-2010-4080     Dan Rosenberg discovered an issue in the ALSA driver for     RME Hammerfall DSP audio devices. Local users with     access to the audio device can obtain the contents of     sensitive kernel memory via the     SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.

  - CVE-2010-4081     Dan Rosenberg discovered an issue in the ALSA driver for     RME Hammerfall DSP MADI audio devices. Local users with     access to the audio device can obtain the contents of     sensitive kernel memory via the     SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.

  - CVE-2010-4083     Dan Rosenberg discovered an issue in the semctl system     call. Local users can obtain the contents of sensitive     kernel memory through usage of the semid_ds structure.

  - CVE-2010-4164     Dan Rosenberg discovered an issue in the X.25 network     protocol. Remote users can achieve a denial of service     (infinite loop) by taking advantage of an integer     underflow in the facility parsing code.

ID	Name	Product	Family	Severity
68177	Oracle Linux 6 : kernel (ELSA-2011-0007)	Nessus	Oracle Linux Local Security Checks	high
52476	Ubuntu 9.10 : linux, linux-ec2 vulnerabilities (USN-1073-1)	Nessus	Ubuntu Local Security Checks	high
52475	Ubuntu 8.04 LTS : linux vulnerabilities (USN-1072-1)	Nessus	Ubuntu Local Security Checks	high
51500	RHEL 6 : kernel (RHSA-2011:0007)	Nessus	Red Hat Local Security Checks	high
50825	Debian DSA-2126-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2010-4074

high

Tenable Plugins

high

high

high

high

high