Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in Linux kernel 2.6.11-rc2 through 2.6.33 allows remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user, which causes the socket to be freed and triggers list corruption, related to the sctp_wait_for_connect function.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities in several third-party components and libraries :

  - Kernel
  - krb5
  - glibc
  - mtp2sas
  - mptsas
  - mptspi

Updated kernel-rt packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise MRG 2.0.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security fixes :

* A flaw in the SCTP and DCCP implementations could allow a remote attacker to cause a denial of service. (CVE-2010-4526, CVE-2011-1770, Important)

* Flaws in the Management Module Support for Message Passing Technology (MPT) based controllers could allow a local, unprivileged user to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important)

* Flaws in the AGPGART driver, and a flaw in agp_allocate_memory(), could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, CVE-2011-1746, Important)

* A flaw in the client-side NLM implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2491, Important)

* A flaw in the Bluetooth implementation could allow a remote attacker to cause a denial of service or escalate their privileges.
(CVE-2011-2497, Important)

* Flaws in the netlink-based wireless configuration interface could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important)

* The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important)

* A local, unprivileged user could allocate large amounts of memory not visible to the OOM killer, causing a denial of service.
(CVE-2010-4243, Moderate)

* The proc file system could allow a local, unprivileged user to obtain sensitive information or possibly cause integrity issues.
(CVE-2011-1020, Moderate)

* A local, privileged user could possibly write arbitrary kernel memory via /sys/kernel/debug/acpi/custom_method. (CVE-2011-1021, Moderate)

* Inconsistency in the methods for allocating and freeing NFSv4 ACL data; CVE-2010-4250 fix caused a regression; a flaw in next_pidmap() and inet_diag_bc_audit(); flaws in the CAN implementation; a race condition in the memory merging support; a flaw in the taskstats subsystem; and the way mapping expansions were handled could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1090, CVE-2011-1479, CVE-2011-1593, CVE-2011-2213, CVE-2011-1598, CVE-2011-1748, CVE-2011-2183, CVE-2011-2484, CVE-2011-2496, Moderate)

* A flaw in GRO could result in a denial of service when a malformed VLAN frame is received. (CVE-2011-1478, Moderate)

* napi_reuse_skb() could be called on VLAN packets allowing an attacker on the local network to possibly trigger a denial of service.
(CVE-2011-1576, Moderate)

* A denial of service could occur if packets were received while the ipip or ip_gre module was being loaded. (CVE-2011-1767, CVE-2011-1768, Moderate)

* Information leaks. (CVE-2011-1160, CVE-2011-2492, CVE-2011-2495, Low)

* Flaws in the EFI GUID Partition Table implementation could allow a local attacker to cause a denial of service. (CVE-2011-1577, CVE-2011-1776, Low)

* While a user has a CIFS share mounted that required successful authentication, a local, unprivileged user could mount that share without knowing the correct password if mount.cifs was setuid root.
(CVE-2011-1585, Low)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2011-1770, CVE-2011-1494, CVE-2011-1495, CVE-2011-2497, and CVE-2011-2213;
Vasiliy Kulikov of Openwall for reporting CVE-2011-1745, CVE-2011-2022, CVE-2011-1746, CVE-2011-2484, and CVE-2011-2495; Vasily Averin for reporting CVE-2011-2491; Brad Spengler for reporting CVE-2010-4243; Kees Cook for reporting CVE-2011-1020; Robert Swiecki for reporting CVE-2011-1593 and CVE-2011-2496; Oliver Hartkopp for reporting CVE-2011-1748; Andrea Righi for reporting CVE-2011-2183;
Ryan Sweat for reporting CVE-2011-1478 and CVE-2011-1576; Peter Huewe for reporting CVE-2011-1160; Marek Kroemeke and Filip Palian for reporting CVE-2011-2492; and Timo Warns for reporting CVE-2011-1577 and CVE-2011-1776.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0421 advisory.

  - The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5     does not properly initialize a certain structure member, which allows local users to obtain potentially     sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call. (CVE-2010-3296)

  - The install_special_mapping function in mm/mmap.c in the Linux kernel before 2.6.37-rc6 does not make an     expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr     restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language     application. (CVE-2010-4346)

  - Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in Linux kernel 2.6.11-rc2     through 2.6.33 allows remote attackers to cause a denial of service (panic) via an ICMP unreachable     message to a socket that is already locked by a user, which causes the socket to be freed and triggers     list corruption, related to the sctp_wait_for_connect function. (CVE-2010-4526)

  - The orinoco_ioctl_set_auth function in drivers/net/wireless/orinoco/wext.c in the Linux kernel before     2.6.37 does not properly implement a TKIP protection mechanism, which makes it easier for remote attackers     to obtain access to a Wi-Fi network by reading Wi-Fi frames. (CVE-2010-4648)

  - net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize certain data structures, which     allows local users to obtain potentially sensitive information from kernel heap memory by leveraging the     CAP_NET_ADMIN capability for an ethtool ioctl call. (CVE-2010-4655)

  - The iowarrior_write function in drivers/usb/misc/iowarrior.c in the Linux kernel before 2.6.37 does not     properly allocate memory, which might allow local users to trigger a heap-based buffer overflow, and     consequently cause a denial of service or gain privileges, via a long report. (CVE-2010-4656)

  - The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2     does not check the sign of a certain integer field, which allows local users to cause a denial of service     (memory corruption) or possibly have unspecified other impact via a negative value. (CVE-2011-0521)

  - Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in     Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand     request while other request handlers are still running, which triggers an invalid pointer dereference.
    (CVE-2011-0695)

  - The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel before     2.6.38-rc4-next-20110216 on the s390 platform allows local users to obtain the values of the registers of     an arbitrary process by reading a status file under /proc/. (CVE-2011-0710)

  - The br_multicast_add_group function in net/bridge/br_multicast.c in the Linux kernel before 2.6.38, when a     certain Ethernet bridge configuration is used, allows local users to cause a denial of service (memory     corruption and system crash) by sending IGMP packets to a local interface. (CVE-2011-0716)

  - The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the     Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow     remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame.
    (CVE-2011-1478)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2011:0163 :

Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issue :

* A flaw was found in the sctp_icmp_proto_unreachable() function in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-4526, Important)

This update also fixes the following bugs :

* Due to an off-by-one error, gfs2_grow failed to take the very last 'rgrp' parameter into account when adding up the new free space. With this update, the GFS2 kernel properly counts all the new resource groups and fixes the 'statfs' file correctly. (BZ#666792)

* Prior to this update, a multi-threaded application, which invoked popen(3) internally, could cause a thread stall by FILE lock corruption. The application program waited for a FILE lock in glibc, but the lock seemed to be corrupted, which was caused by a race condition in the COW (Copy On Write) logic. With this update, the race condition was corrected and FILE lock corruption no longer occurs.
(BZ#667050)

* If an error occurred during I/O, the SCSI driver reset the 'megaraid_sas' controller to restore it to normal state. However, on Red Hat Enterprise Linux 5, the waiting time to allow a full reset completion for the 'megaraid_sas' controller was too short. The driver incorrectly recognized the controller as stalled, and, as a result, the system stalled as well. With this update, more time is given to the controller to properly restart, thus, the controller operates as expected after being reset. (BZ#667141)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904)

Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces.
(CVE-2010-3848, CVE-2010-3849, CVE-2010-3850)

Ben Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leading to a denial of service.
(CVE-2010-2478, CVE-2010-3084)

Eric Dumazet discovered that many network functions could leak kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2942, CVE-2010-3477)

Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy.
(CVE-2010-2943)

Tavis Ormandy discovered that the IRDA subsystem did not correctly shut down. A local attacker could exploit this to cause the system to crash or possibly gain root privileges. (CVE-2010-2954)

Brad Spengler discovered that the wireless extensions did not correctly validate certain request sizes. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955)

Tavis Ormandy discovered that the session keyring did not correctly check for its parent. On systems without a default session keyring, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2960)

Kees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges. (CVE-2010-2962)

Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. (CVE-2010-2963)

Tavis Ormandy discovered that the AIO subsystem did not correctly validate certain parameters. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3067)

Dan Rosenberg discovered that certain XFS ioctls leaked kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-3078)

Robert Swiecki discovered that ftrace did not correctly handle mutexes. A local attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3079)

Tavis Ormandy discovered that the OSS sequencer device did not correctly shut down. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3080)

Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297, CVE-2010-3298)

Dan Rosenberg discovered that the ROSE driver did not correctly check parameters. A local attacker with access to a ROSE network device could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3310)

Thomas Dreibholz discovered that SCTP did not correctly handle appending packet chunks. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service.
(CVE-2010-3432)

Dan Rosenberg discovered that the CD driver did not correctly check parameters. A local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2010-3437)

Dan Rosenberg discovered that the Sound subsystem did not correctly validate parameters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3442)

Dan Jacobson discovered that ThinkPad video output was not correctly access controlled. A local attacker could exploit this to hang the system, leading to a denial of service. (CVE-2010-3448)

It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698)

Dan Rosenberg discovered that SCTP did not correctly handle HMAC calculations. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service.
(CVE-2010-3705)

Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858)

Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)

Kees Cook discovered that the ethtool interface did not correctly clear kernel memory. A local attacker could read kernel heap memory, leading to a loss of privacy. (CVE-2010-3861)

Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user.
(CVE-2010-3865)

Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873)

Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874)

Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3875)

Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)

Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3877)

Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)

Vasiliy Kulikov discovered that kvm did not correctly clear memory. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2010-3881)

Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4072)

Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4073)

Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075)

Dan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-4079)

Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081)

Dan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082)

Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)

James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157)

Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158)

Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges.
(CVE-2010-4160)

Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162)

Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668)

Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2010-4164)

Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165)

Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169)

Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175)

Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242)

It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)

Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249)

Nelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges.
(CVE-2010-4258)

Krishna Gudipati discovered that the bfa adapter driver did not correctly initialize certain structures. A local attacker could read files in /sys to crash the system, leading to a denial of service.
(CVE-2010-4343)

Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks.
(CVE-2010-4346)

It was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526)

Dan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527)

An error was reported in the kernel's ORiNOCO wireless driver's handling of TKIP countermeasures. This reduces the amount of time an attacker needs breach a wireless network using WPA+TKIP for security.
(CVE-2010-4648)

Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)

An error was discovered in the kernel's handling of CUSE (Character device in Userspace). A local attacker might exploit this flaw to escalate privilege, if access to /dev/cuse has been modified to allow non-root users. (CVE-2010-4650)

Kees Cook discovered that some ethtool functions did not correctly clear heap memory. A local attacker with CAP_NET_ADMIN privileges could exploit this to read portions of kernel heap memory, leading to a loss of privacy. (CVE-2010-4655)

Kees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656)

Joel Becker discovered that OCFS2 did not correctly validate on-disk symlink structures. If an attacker were able to trick a user or automated system into mounting a specially crafted filesystem, it could crash the system or expose kernel memory, leading to a loss of privacy. (CVE-2010-NNN2)

A flaw was found in the kernel's Integrity Measurement Architecture (IMA). Changes made by an attacker might not be discovered by IMA, if SELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006)

Dan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521)

Rafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712)

Timo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)

Timo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)

Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.
(CVE-2011-1082)

Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093).

This update fixes the following security issues :

  - A flaw was found in the sctp_icmp_proto_unreachable()     function in the Linux kernel's Stream Control     Transmission Protocol (SCTP) implementation. A remote     attacker could use this flaw to cause a denial of     service. (CVE-2010-4526, Important)

  - A missing boundary check was found in the dvb_ca_ioctl()     function in the Linux kernel's av7110 module. On systems     that use old DVB cards that require the av7110 module, a     local, unprivileged user could use this flaw to cause a     denial of service or escalate their privileges.
    (CVE-2011-0521, Important)

  - A race condition was found in the way the Linux kernel's     InfiniBand implementation set up new connections. This     could allow a remote user to cause a denial of service.
    (CVE-2011-0695, Important)

  - A heap overflow flaw in the iowarrior_write() function     could allow a user with access to an IO-Warrior USB     device, that supports more than 8 bytes per report, to     cause a denial of service or escalate their privileges.
    (CVE-2010-4656, Moderate)

  - A flaw was found in the way the Linux Ethernet bridge     implementation handled certain IGMP (Internet Group     Management Protocol) packets. A local, unprivileged user     on a system that has a network interface in an Ethernet     bridge could use this flaw to crash that system     (CVE-2011-0716, Moderate)

  - A NULL pointer dereference flaw was found in the Generic     Receive Offload (GRO) functionality in the Linux     kernel's networking implementation. If both GRO and     promiscuous mode were enabled on an interface in a     virtual LAN (VLAN), it could result in a denial of     service when a malformed VLAN frame is received on that     interface. (CVE-2011-1478, Moderate)

  - A missing initialization flaw in the Linux kernel could     lead to an information leak. (CVE-2010-3296, Low)

  - A missing security check in the Linux kernel's     implementation of the install_special_mapping() function     could allow a local, unprivileged user to bypass the     mmap_min_addr protection mechanism. (CVE-2010-4346, Low)

  - A logic error in the orinoco_ioctl_set_auth() function     in the Linux kernel's ORiNOCO wireless extensions     support implementation could render TKIP countermeasures     ineffective when it is enabled, as it enabled the card     instead of shutting it down. (CVE-2010-4648, Low)

  - A missing initialization flaw was found in the     ethtool_get_regs() function in the Linux kernel's     ethtool IOCTL handler. A local user who has the     CAP_NET_ADMIN capability could use this flaw to cause an     information leak. (CVE-2010-4655, Low)

  - An information leak was found in the Linux kernel's     task_show_regs() implementation. On IBM S/390 systems, a     local, unprivileged user could use this flaw to read     /proc/[PID]/status files, allowing them to discover the     CPU register values of processes. (CVE-2011-0710, Low)

This update also fixes several bugs.

The system must be rebooted for this update to take effect.

This update fixes the following security issue :

  - A flaw was found in the sctp_icmp_proto_unreachable()     function in the Linux kernel's Stream Control     Transmission Protocol (SCTP) implementation. A remote     attacker could use this flaw to cause a denial of     service. (CVE-2010-4526, Important)

This update also fixes the following bugs :

  - Due to an off-by-one error, gfs2_grow failed to take the     very last 'rgrp' parameter into account when adding up     the new free space. With this update, the GFS2 kernel     properly counts all the new resource groups and fixes     the 'statfs' file correctly. (BZ#666792)

  - Prior to this update, a multi-threaded application,     which invoked popen(3) internally, could cause a thread     stall by FILE lock corruption. The application program     waited for a FILE lock in glibc, but the lock seemed to     be corrupted, which was caused by a race condition in     the COW (Copy On Write) logic. With this update, the     race condition was corrected and FILE lock corruption no     longer occurs. (BZ#667050)

  - If an error occurred during I/O, the SCSI driver reset     the 'megaraid_sas' controller to restore it to normal     state. However, on Scientific Linux 5, the waiting time     to allow a full reset completion for the 'megaraid_sas'     controller was too short. The driver incorrectly     recognized the controller as stalled, and, as a result,     the system stalled as well. With this update, more time     is given to the controller to properly restart, thus,     the controller operates as expected after being reset.
    (BZ#667141)

The system must be rebooted for this update to take effect.

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs.

The following security issues were fixed :

  - A memory leak in the ethtool ioctl was fixed that could     disclose kernel memory to local attackers with     CAP_NET_ADMIN privileges. (CVE-2010-4655)

  - The dvb_ca_ioctl function in     drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel     did not check the sign of a certain integer field, which     allowed local users to cause a denial of service (memory     corruption) or possibly have unspecified other impact     via a negative value. (CVE-2011-0521)

  - The ax25_getname function in net/ax25/af_ax25.c in the     Linux kernel did not initialize a certain structure,     which allowed local users to obtain potentially     sensitive information from kernel stack memory by     reading a copy of this structure. (CVE-2010-3875)

  - net/packet/af_packet.c in the Linux kernel did not     properly initialize certain structure members, which     allowed local users to obtain potentially sensitive     information from kernel stack memory by leveraging the     CAP_NET_RAW capability to read copies of the applicable     structures. (CVE-2010-3876)

  - The get_name function in net/tipc/socket.c in the Linux     kernel did not initialize a certain structure, which     allowed local users to obtain potentially sensitive     information from kernel stack memory by reading a copy     of this structure. (CVE-2010-3877)

  - A stack memory information leak in the xfs FSGEOMETRY_V1     ioctl was fixed. (CVE-2011-0711)

  - The task_show_regs function in arch/s390/kernel/traps.c     in the Linux kernel on the s390 platform allowed local     users to obtain the values of the registers of an     arbitrary process by reading a status file under /proc/.
    (CVE-2011-0710)

  - The sctp_process_unk_param function in     net/sctp/sm_make_chunk.c in the Linux kernel, when SCTP     is enabled, allowed remote attackers to cause a denial     of service (system crash) via an SCTPChunkInit packet     containing multiple invalid parameters that require a     large amount of error data. (CVE-2010-1173)

  - The uart_get_count function in     drivers/serial/serial_core.c in the Linux kernel did not     properly initialize a certain structure member, which     allowed local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call. (CVE-2010-4075)

  - The rs_ioctl function in drivers/char/amiserial.c in the     Linux kernel did not properly initialize a certain     structure member, which allowed local users to obtain     potentially sensitive information from kernel stack     memory via a TIOCGICOUNT ioctl call. (CVE-2010-4076)

  - The ntty_ioctl_tiocgicount function in     drivers/char/nozomi.c in the Linux kernel did not     properly initialize a certain structure member, which     allowed local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call. (CVE-2010-4077)

  - The load_mixer_volumes function in sound/oss/soundcard.c     in the OSS sound subsystem in the Linux kernel     incorrectly expected that a certain name field ends with     a '0' character, which allowed local users to conduct     buffer overflow attacks and gain privileges, or possibly     obtain sensitive information from kernel memory, via a     SOUND_MIXER_SETLEVELS ioctl call. (CVE-2010-4527)

  - Race condition in the __exit_signal function in     kernel/exit.c in the Linux kernel allowed local users to     cause a denial of service via vectors related to     multithreaded exec, the use of a thread group leader in     kernel/posix-cpu-timers.c, and the selection of a new     thread group leader in the de_thread function in     fs/exec.c. (CVE-2010-4248)

  - The blk_rq_map_user_iov function in block/blk-map.c in     the Linux kernel allowed local users to cause a denial     of service (panic) via a zero-length I/O request in a     device ioctl to a SCSI device, related to an unaligned     map. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2010-4163. (CVE-2010-4668)

  - The hci_uart_tty_open function in the HCI UART driver     (drivers/bluetooth/hci_ldisc.c) in the Linux kernel did     not verify whether the tty has a write operation, which     allowed local users to cause a denial of service (NULL     pointer dereference) via vectors related to the     Bluetooth driver. (CVE-2010-4242)

  - Integer underflow in the irda_getsockopt function in     net/irda/af_irda.c in the Linux kernel on platforms     other than x86 allowed local users to obtain potentially     sensitive information from kernel heap memory via an     IRLMP_ENUMDEVICES getsockopt call. (CVE-2010-4529)

  - The aun_incoming function in net/econet/af_econet.c in     the Linux kernel, when Econet is enabled, allowed remote     attackers to cause a denial of service (NULL pointer     dereference and OOPS) by sending an Acorn Universal     Networking (AUN) packet over UDP. (CVE-2010-4342)

  - Race condition in the sctp_icmp_proto_unreachable     function in net/sctp/input.c in Linux kernel allowed     remote attackers to cause a denial of service (panic)     via an ICMP unreachable message to a socket that is     already locked by a user, which causes the socket to be     freed and triggers list corruption, related to the     sctp_wait_for_connect function. (CVE-2010-4526)

a. ESX third-party update for Service Console kernel

   This update takes the console OS kernel package to    kernel-2.6.18-238.9.1 which resolves multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798,    CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015,    CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086,    CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477,    CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865,    CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904,    CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080,    CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158,    CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243,    CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251,    CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346,    CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710,    CVE-2011-1010, CVE-2011-1090 and CVE-2011-1478 to these issues.

b. ESX third-party update for Service Console krb5 RPMs

   This patch updates the krb5-libs and krb5-workstation RPMs of the    console OS to version 1.6.1-55.el5_6.1, which resolves multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-1323, CVE-2011-0281, and CVE-2011-0282    to these issues.

c. ESXi and ESX update to third-party component glibc

   The glibc third-party library is updated to resolve multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-0296, CVE-2011-0536, CVE-2011-1071,    CVE-2011-1095, CVE-2011-1658, and CVE-2011-1659 to these issues.

d. ESX update to third-party drivers mptsas, mpt2sas, and mptspi

   The mptsas, mpt2sas, and mptspi drivers are updated which addresses    multiple security issues in the mpt2sas driver.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2011-1494 and CVE-2011-1495 to these issues.

Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)

Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)

Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158)

Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160)

Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162)

Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668)

Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175)

Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242)

Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)

Alex Shi and Eric Dumazet discovered that the network stack did not correctly handle packet backlogs. A remote attacker could exploit this by sending a large amount of network traffic to cause the system to run out of memory, leading to a denial of service. (CVE-2010-4251, CVE-2010-4805)

It was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service.
(CVE-2010-4526)

Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)

Kees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)

Timo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)

Timo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)

Matthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.
(CVE-2011-1013)

It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)

Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)

Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.
(CVE-2011-1082)

Neil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)

Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)

Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)

Timo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)

Vasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)

Vasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)

Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)

Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)

Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493)

Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)

Oliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598)

Dan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770)

Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)

Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service.
(CVE-2011-2484)

It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy.
(CVE-2011-2492)

Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.
(CVE-2011-2699)

The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918)

Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4076, CVE-2010-4077)

It was discovered that Xen did not correctly handle certain block requests. A local attacker in a Xen guest could cause the Xen host to use all available CPU resources, leading to a denial of service.
(CVE-2010-4247)

It was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526)

Kees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)

Timo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)

Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)

Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)

Vasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issue :

* A flaw was found in the sctp_icmp_proto_unreachable() function in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-4526, Important)

This update also fixes the following bugs :

* Due to an off-by-one error, gfs2_grow failed to take the very last 'rgrp' parameter into account when adding up the new free space. With this update, the GFS2 kernel properly counts all the new resource groups and fixes the 'statfs' file correctly. (BZ#666792)

* Prior to this update, a multi-threaded application, which invoked popen(3) internally, could cause a thread stall by FILE lock corruption. The application program waited for a FILE lock in glibc, but the lock seemed to be corrupted, which was caused by a race condition in the COW (Copy On Write) logic. With this update, the race condition was corrected and FILE lock corruption no longer occurs.
(BZ#667050)

* If an error occurred during I/O, the SCSI driver reset the 'megaraid_sas' controller to restore it to normal state. However, on Red Hat Enterprise Linux 5, the waiting time to allow a full reset completion for the 'megaraid_sas' controller was too short. The driver incorrectly recognized the controller as stalled, and, as a result, the system stalled as well. With this update, more time is given to the controller to properly restart, thus, the controller operates as expected after being reset. (BZ#667141)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the sctp_icmp_proto_unreachable() function in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-4526, Important)

* A missing boundary check was found in the dvb_ca_ioctl() function in the Linux kernel's av7110 module. On systems that use old DVB cards that require the av7110 module, a local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges.
(CVE-2011-0521, Important)

* A race condition was found in the way the Linux kernel's InfiniBand implementation set up new connections. This could allow a remote user to cause a denial of service. (CVE-2011-0695, Important)

* A heap overflow flaw in the iowarrior_write() function could allow a user with access to an IO-Warrior USB device, that supports more than 8 bytes per report, to cause a denial of service or escalate their privileges. (CVE-2010-4656, Moderate)

* A flaw was found in the way the Linux Ethernet bridge implementation handled certain IGMP (Internet Group Management Protocol) packets. A local, unprivileged user on a system that has a network interface in an Ethernet bridge could use this flaw to crash that system.
(CVE-2011-0716, Moderate)

* A NULL pointer dereference flaw was found in the Generic Receive Offload (GRO) functionality in the Linux kernel's networking implementation. If both GRO and promiscuous mode were enabled on an interface in a virtual LAN (VLAN), it could result in a denial of service when a malformed VLAN frame is received on that interface.
(CVE-2011-1478, Moderate)

* A missing initialization flaw in the Linux kernel could lead to an information leak. (CVE-2010-3296, Low)

* A missing security check in the Linux kernel's implementation of the install_special_mapping() function could allow a local, unprivileged user to bypass the mmap_min_addr protection mechanism. (CVE-2010-4346, Low)

* A logic error in the orinoco_ioctl_set_auth() function in the Linux kernel's ORiNOCO wireless extensions support implementation could render TKIP countermeasures ineffective when it is enabled, as it enabled the card instead of shutting it down. (CVE-2010-4648, Low)

* A missing initialization flaw was found in the ethtool_get_regs() function in the Linux kernel's ethtool IOCTL handler. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause an information leak. (CVE-2010-4655, Low)

* An information leak was found in the Linux kernel's task_show_regs() implementation. On IBM S/390 systems, a local, unprivileged user could use this flaw to read /proc/[PID]/status files, allowing them to discover the CPU register values of processes. (CVE-2011-0710, Low)

Red Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;
Kees Cook for reporting CVE-2010-4656 and CVE-2010-4655; Dan Rosenberg for reporting CVE-2010-3296; and Tavis Ormandy for reporting CVE-2010-4346.

This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.29 and fixes various bugs and security issues.

  - The ax25_getname function in net/ax25/af_ax25.c in the     Linux kernel did not initialize a certain structure,     which allowed local users to obtain potentially     sensitive information from kernel stack memory by     reading a copy of this structure. (CVE-2010-3875)

  - net/packet/af_packet.c in the Linux kernel did not     properly initialize certain structure members, which     allowed local users to obtain potentially sensitive     information from kernel stack memory by leveraging the     CAP_NET_RAW capability to read copies of the applicable     structures. (CVE-2010-3876)

  - The get_name function in net/tipc/socket.c in the Linux     kernel did not initialize a certain structure, which     allowed local users to obtain potentially sensitive     information from kernel stack memory by reading a copy     of this structure. (CVE-2010-3877)

  - The sctp_auth_asoc_get_hmac function in net/sctp/auth.c     in the Linux kernel did not properly validate the     hmac_ids array of an SCTP peer, which allowed remote     attackers to cause a denial of service (memory     corruption and panic) via a crafted value in the last     element of this array. (CVE-2010-3705)

  - A stack memory information leak in the xfs FSGEOMETRY_V1     ioctl was fixed. (CVE-2011-0711)

  - Multiple buffer overflows in the caiaq Native     Instruments USB audio functionality in the Linux kernel     might have allowed attackers to cause a denial of     service or possibly have unspecified other impact via a     long USB device name, related to (1) the     snd_usb_caiaq_audio_init function in     sound/usb/caiaq/audio.c and (2) the     snd_usb_caiaq_midi_init function in     sound/usb/caiaq/midi.c. (CVE-2011-0712)

  - The task_show_regs function in arch/s390/kernel/traps.c     in the Linux kernel on the s390 platform allowed local     users to obtain the values of the registers of an     arbitrary process by reading a status file under /proc/.
    (CVE-2011-0710)

  - The xfs implementation in the Linux kernel did not look     up inode allocation btrees before reading inode buffers,     which allowed remote authenticated users to read     unlinked files, or read or overwrite disk blocks that     are currently assigned to an active file but were     previously assigned to an unlinked file, by accessing a     stale NFS filehandle. (CVE-2010-2943)

  - The uart_get_count function in     drivers/serial/serial_core.c in the Linux kernel did not     properly initialize a certain structure member, which     allowed local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call. (CVE-2010-4075)

  - The rs_ioctl function in drivers/char/amiserial.c in the     Linux kernel did not properly initialize a certain     structure member, which allowed local users to obtain     potentially sensitive information from kernel stack     memory via a TIOCGICOUNT ioctl call. (CVE-2010-4076)

  - The ntty_ioctl_tiocgicount function in     drivers/char/nozomi.c in the Linux kernel did not     properly initialize a certain structure member, which     allowed local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call. (CVE-2010-4077)

  - fs/exec.c in the Linux kernel did not enable the OOM     Killer to assess use of stack memory by arrays     representing the (1) arguments and (2) environment,     which allows local users to cause a denial of service     (memory consumption) via a crafted exec system call, aka     an OOM dodging issue, a related issue to CVE-2010-3858.
    (CVE-2010-4243)

  - The blk_rq_map_user_iov function in block/blk-map.c in     the Linux kernel allowed local users to cause a denial     of service (panic) via a zero-length I/O request in a     device ioctl to a SCSI device, related to an unaligned     map. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2010-4163. (CVE-2010-4668)

  - Integer underflow in the irda_getsockopt function in     net/irda/af_irda.c in the Linux kernel on platforms     other than x86 allowed local users to obtain potentially     sensitive information from kernel heap memory via an     IRLMP_ENUMDEVICES getsockopt call. (CVE-2010-4529)

  - The aun_incoming function in net/econet/af_econet.c in     the Linux kernel, when Econet is enabled, allows remote     attackers to cause a denial of service (NULL pointer     dereference and OOPS) by sending an Acorn Universal     Networking (AUN) packet over UDP. (CVE-2010-4342)

  - The backend driver in Xen 3.x allowed guest OS users to     cause a denial of service via a kernel thread leak,     which prevented the device and guest OS from being shut     down or create a zombie domain, causing a hang in     zenwatch, or preventing unspecified xm commands from     working properly, related to (1) netback, (2) blkback,     or (3) blktap. (CVE-2010-3699)

  - The install_special_mapping function in mm/mmap.c in the     Linux kernel did not make an expected security_file_mmap     function call, which allows local users to bypass     intended mmap_min_addr restrictions and possibly conduct     NULL pointer dereference attacks via a crafted     assembly-language application. (CVE-2010-4346)

  - Fixed a verify_ioctl overflow in 'cuse' in the fuse     filesystem. The code should only be called by root users     though. (CVE-2010-4650)

  - Race condition in the sctp_icmp_proto_unreachable     function in net/sctp/input.c in the Linux kernel allowed     remote attackers to cause a denial of service (panic)     via an ICMP unreachable message to a socket that is     already locked by a user, which causes the socket to be     freed and triggers list corruption, related to the     sctp_wait_for_connect function. (CVE-2010-4526)

  - The load_mixer_volumes function in sound/oss/soundcard.c     in the OSS sound subsystem in the Linux kernel     incorrectly expected that a certain name field ends with     a '0' character, which allowed local users to conduct     buffer overflow attacks and gain privileges, or possibly     obtain sensitive information from kernel memory, via a     SOUND_MIXER_SETLEVELS ioctl call. (CVE-2010-4527)

  - Fixed a LSM bug in IMA (Integrity Measuring     Architecture). IMA is not enabled in SUSE kernels, so we     were not affected. (CVE-2011-0006)

Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user.
(CVE-2010-3865)

Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3875)

Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)

Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3877)

Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)

It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)

Krishna Gudipati discovered that the bfa adapter driver did not correctly initialize certain structures. A local attacker could read files in /sys to crash the system, leading to a denial of service.
(CVE-2010-4343)

Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks.
(CVE-2010-4346)

It was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526)

Dan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527)

An error was reported in the kernel's ORiNOCO wireless driver's handling of TKIP countermeasures. This reduces the amount of time an attacker needs breach a wireless network using WPA+TKIP for security.
(CVE-2010-4648)

Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)

An error was discovered in the kernel's handling of CUSE (Character device in Userspace). A local attacker might exploit this flaw to escalate privilege, if access to /dev/cuse has been modified to allow non-root users. (CVE-2010-4650)

A flaw was found in the kernel's Integrity Measurement Architecture (IMA). Changes made by an attacker might not be discovered by IMA, if SELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2010-0435     Gleb Napatov reported an issue in the KVM subsystem that     allows virtual machines to cause a denial of service of     the host machine by executing mov to/from DR     instructions.

  - CVE-2010-3699     Keir Fraser provided a fix for an issue in the Xen     subsystem. A guest can cause a denial of service on the     host by retaining a leaked reference to a device. This     can result in a zombie domain, xenwatch process hangs,     and xm command failures.

  - CVE-2010-4158     Dan Rosenberg discovered an issue in the socket filters     subsystem, allowing local unprivileged users to obtain     the contents of sensitive kernel memory.

  - CVE-2010-4162     Dan Rosenberg discovered an overflow issue in the block     I/O subsystem that allows local users to map large     numbers of pages, resulting in a denial of service due     to invocation of the out of memory killer.

  - CVE-2010-4163     Dan Rosenberg discovered an issue in the block I/O     subsystem. Due to improper validation of iov segments,     local users can trigger a kernel panic resulting in a     denial of service.

  - CVE-2010-4242     Alan Cox reported an issue in the Bluetooth subsystem.
    Local users with sufficient permission to access HCI     UART devices can cause a denial of service (NULL pointer     dereference) due to a missing check for an existing tty     write operation.

  - CVE-2010-4243     Brad Spengler reported a denial-of-service issue in the     kernel memory accounting system. By passing large     argv/envp values to exec, local users can cause the out     of memory killer to kill processes owned by other users.

  - CVE-2010-4248     Oleg Nesterov reported an issue in the POSIX CPU timers     subsystem. Local users can cause a denial of service     (Oops) due to incorrect assumptions about thread group     leader behavior.

  - CVE-2010-4249     Vegard Nossum reported an issue with the UNIX socket     garbage collector. Local users can consume all of LOWMEM     and decrease system performance by overloading the     system with inflight sockets.

  - CVE-2010-4258     Nelson Elhage reported an issue in Linux oops handling.
    Local users may be able to obtain elevated privileges if     they are able to trigger an oops with a process' fs set     to KERNEL_DS.

  - CVE-2010-4342     Nelson Elhage reported an issue in the Econet protocol.
    Remote attackers can cause a denial of service by     sending an Acorn Universal Networking packet over UDP.

  - CVE-2010-4346     Tavis Ormandy discovered an issue in the     install_special_mapping routine which allows local users     to bypass the mmap_min_addr security restriction.
    Combined with an otherwise low severity local denial of     service vulnerability (NULL pointer dereference), a     local user could obtain elevated privileges.

  - CVE-2010-4526     Eugene Teo reported a race condition in the Linux SCTP     implementation. Remote users can cause a denial of     service (kernel memory corruption) by transmitting an     ICMP unreachable message to a locked socket.

  - CVE-2010-4527     Dan Rosenberg reported two issues in the OSS soundcard     driver. Local users with access to the device (members     of group 'audio' on default Debian installations) may     access to sensitive kernel memory or cause a buffer     overflow, potentially leading to an escalation of     privileges.

  - CVE-2010-4529     Dan Rosenberg reported an issue in the Linux kernel IrDA     socket implementation on non-x86 architectures. Local     users may be able to gain access to sensitive kernel     memory via a specially crafted IRLMP_ENUMDEVICES     getsockopt call.

  - CVE-2010-4565     Dan Rosenberg reported an issue in the Linux CAN     protocol implementation. Local users can obtain the     address of a kernel heap object which might help     facilitate system exploitation.

  - CVE-2010-4649     Dan Carpenter reported an issue in the uverb handling of     the InfiniBand subsystem. A potential buffer overflow     may allow local users to cause a denial of service     (memory corruption) by passing in a large cmd.ne value.

  - CVE-2010-4656     Kees Cook reported an issue in the driver for     I/O-Warrior USB devices. Local users with access to     these devices may be able to overrun kernel buffers,     resulting in a denial of service or privilege     escalation.

  - CVE-2010-4668     Dan Rosenberg reported an issue in the block subsystem.
    A local user can cause a denial of service (kernel     panic) by submitting certain 0-length I/O requests.

  - CVE-2011-0521     Dan Carpenter reported an issue in the DVB driver for     AV7110 cards. Local users can pass a negative info->num     value, corrupting kernel memory and causing a denial of     service.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2011-0163.

ID	Name	Product	Family	Severity
89680	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0012) (remote check)	Nessus	Misc.	high
76634	RHEL 6 : MRG (RHSA-2011:1253)	Nessus	Red Hat Local Security Checks	high
68247	Oracle Linux 6 : kernel (ELSA-2011-0421)	Nessus	Oracle Linux Local Security Checks	high
68183	Oracle Linux 5 : kernel (ELSA-2011-0163)	Nessus	Oracle Linux Local Security Checks	high
65103	Ubuntu 10.04 LTS / 10.10 : linux-mvl-dove vulnerabilities (USN-1093-1)	Nessus	Ubuntu Local Security Checks	high
61012	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60939	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
59155	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7384)	Nessus	SuSE Local Security Checks	high
56508	VMSA-2011-0012 : VMware ESXi and ESX updates to third-party libraries and ESX Service Console	Nessus	VMware ESX Local Security Checks	high
56192	USN-1204-1 : linux-fsl-imx51 vulnerabilities	Nessus	Ubuntu Local Security Checks	high
55607	Ubuntu 8.04 LTS : linux vulnerabilities (USN-1170-1)	Nessus	Ubuntu Local Security Checks	high
53414	CentOS 5 : kernel (CESA-2011:0163)	Nessus	CentOS Local Security Checks	high
53328	RHEL 6 : kernel (RHSA-2011:0421)	Nessus	Red Hat Local Security Checks	high
52971	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7381)	Nessus	SuSE Local Security Checks	high
52597	SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4039 / 4042 / 4043)	Nessus	SuSE Local Security Checks	high
52528	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1080-2)	Nessus	Ubuntu Local Security Checks	high
52499	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1080-1)	Nessus	Ubuntu Local Security Checks	high
51818	Debian DSA-2153-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	high
51570	RHEL 5 : kernel (RHSA-2011:0163)	Nessus	Red Hat Local Security Checks	high
801504	CentOS RHSA-2011-0163 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2010-4526

medium

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high