RHSA-2011:0927

[oss-security] 20110707 CVE-2011-1780, CVE-2011-1936, kernel/xen issues

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries :

  - COS kernel
  - cURL
  - python
  - rpm

From Red Hat Security Advisory 2011:0927 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)

* A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service.
(CVE-2011-0695, Important)

* A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' variable was turned on (it is off by default). (CVE-2011-1573, Important)

* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)

* An integer overflow flaw in agp_allocate_memory() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)

* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate)

* An integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)

* A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate)

* A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)

* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)

* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)

* A missing validation check was found in the signals implementation.
A local, unprivileged user could use this flaw to send signals via the sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)

* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially crafted partition tables. (CVE-2011-1776, Low)

* Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low)

Red Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;
Vasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke and Filip Palian for reporting CVE-2011-2492.

Bug fix documentation will be available shortly from the Technical Notes document linked to in the References.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - An integer overflow flaw in ib_uverbs_poll_cq() could     allow a local, unprivileged user to cause a denial of     service or escalate their privileges. (CVE-2010-4649,     Important)

  - A race condition in the way new InfiniBand connections     were set up could allow a remote user to cause a denial     of service. (CVE-2011-0695, Important)

  - A flaw in the Stream Control Transmission Protocol     (SCTP) implementation could allow a remote attacker to     cause a denial of service if the sysctl     'net.sctp.addip_enable' variable was turned on (it is     off by default). (CVE-2011-1573, Important)

  - Flaws in the AGPGART driver implementation when handling     certain IOCTL commands could allow a local, unprivileged     user to cause a denial of service or escalate their     privileges. (CVE-2011-1745, CVE-2011-2022, Important)

  - An integer overflow flaw in agp_allocate_memory() could     allow a local, unprivileged user to cause a denial of     service or escalate their privileges. (CVE-2011-1746,     Important)

  - A flaw allowed napi_reuse_skb() to be called on VLAN     (virtual LAN) packets. An attacker on the local network     could trigger this flaw by sending specially crafted     packets to a target system, possibly causing a denial of     service. (CVE-2011-1576, Moderate)

  - An integer signedness error in next_pidmap() could allow     a local, unprivileged user to cause a denial of service.
    (CVE-2011-1593, Moderate)

  - A flaw in the way the Xen hypervisor implementation     handled CPUID instruction emulation during virtual     machine exits could allow an unprivileged guest user to     crash a guest. This only affects systems that have an     Intel x86 processor with the Intel VT-x extension     enabled. (CVE-2011-1936, Moderate)

  - A flaw in inet_diag_bc_audit() could allow a local,     unprivileged user to cause a denial of service (infinite     loop). (CVE-2011-2213, Moderate)

  - A missing initialization flaw in the XFS file system     implementation could lead to an information leak.
    (CVE-2011-0711, Low)

  - A flaw in ib_uverbs_poll_cq() could allow a local,     unprivileged user to cause an information leak.
    (CVE-2011-1044, Low)

  - A missing validation check was found in the signals     implementation. A local, unprivileged user could use     this flaw to send signals via the sigqueueinfo system     call, with the si_code set to SI_TKILL and with spoofed     process and user IDs, to other processes. Note: This     flaw does not allow existing permission checks to be     bypassed; signals can only be sent if your privileges     allow you to already do so. (CVE-2011-1182, Low)

  - A heap overflow flaw in the EFI GUID Partition Table     (GPT) implementation could allow a local attacker to     cause a denial of service by mounting a disk containing     specially crafted partition tables. (CVE-2011-1776, Low)

  - Structure padding in two structures in the Bluetooth     implementation was not initialized properly before being     copied to user-space, possibly allowing local,     unprivileged users to leak kernel stack memory to     user-space. (CVE-2011-2492, Low)

This update fixes several bugs.

The system must be rebooted for this update to take effect.

a. ESX third-party update for Service Console kernel      The ESX Service Console Operating System (COS) kernel is updated to    kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the    COS kernel.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,    CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,    CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,    CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,    CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,    CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,    CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,    CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,    CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,    CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
  b. ESX third-party update for Service Console cURL RPM      The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9    resolving a security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2011-2192 to this issue.
  c. ESX third-party update for Service Console nspr and nss RPMs      The ESX Service Console (COS) nspr and nss RPMs are updated to    nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving    a security issues.
     A Certificate Authority (CA) issued fraudulent SSL certificates and    Netscape Portable Runtime (NSPR) and Network Security Services (NSS)    contain the built-in tokens of this fraudulent Certificate    Authority. This update renders all SSL certificates signed by the    fraudulent CA as untrusted for all uses.
  d. ESX third-party update for Service Console rpm RPMs      The ESX Service Console Operating System (COS) rpm packages are    updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,    rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2    which fixes multiple security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-2059 and CVE-2011-3378 to these    issues.
  e. ESX third-party update for Service Console samba RPMs      The ESX Service Console Operating System (COS) samba packages are    updated to samba-client-3.0.33-3.29.el5_7.4,    samba-common-3.0.33-3.29.el5_7.4 and    libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security    issues in the Samba client.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,    CVE-2011-2522 and CVE-2011-2694 to these issues.
     Note that ESX does not include the Samba Web Administration Tool    (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and    CVE-2011-2694.
  f. ESX third-party update for Service Console python package      The ESX Service Console (COS) python package is updated to    2.4.3-44 which fixes multiple security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and    CVE-2011-1521 to these issues.
  g. ESXi update to third-party component python      The python third-party library is updated to python 2.5.6 which    fixes multiple security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,    CVE-2010-2089, and CVE-2011-1521 to these issues.

A security bug was fixed in Xen

  - A bug was found in the way Xen handles CPUID instruction     emulation during VM exits. An unprivileged guest user     can potentially use this flaw to crash the guest.
    (CVE-2011-1936)

This issue only affected systems running on x86 architecture with Intel processor and VMX virtualization extension enabled.

This update fixes various bugs in XEN :

The following security issues have been fixed :

  - A denial of service (Host Crash) in the XEN hypervisor.
    (CVE-2011-2901)

  - A bug was found in the way Xen handles CPUID instruction     emulation during VM exits. An unprivileged guest user     can potentially use this flaw to crash the guest.
    (CVE-2011-1936)

  - A 64-bit guest can get one of its vcpus into non-kernel     mode without first providing a valid non-kernel     pagetable. The observed failure mode was usually a hard     lockup of the host (host denial of service).
    (CVE-2011-1166)

It fixes also the following bugs :

  - SLES 10 SP3 XEN: Device /dev/xvdp is already connected     error when starting multiple vm's. (bnc#654798)

  - HVM taking too long to dump vmcore. (bnc#684297)

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)

* A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service.
(CVE-2011-0695, Important)

* A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' variable was turned on (it is off by default). (CVE-2011-1573, Important)

* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)

* An integer overflow flaw in agp_allocate_memory() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)

* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate)

* An integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)

* A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate)

* A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)

* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)

* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)

* A missing validation check was found in the signals implementation.
A local, unprivileged user could use this flaw to send signals via the sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)

* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially crafted partition tables. (CVE-2011-1776, Low)

* Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low)

Red Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;
Vasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke and Filip Palian for reporting CVE-2011-2492.

Bug fix documentation will be available shortly from the Technical Notes document linked to in the References.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2011-0927.

ID	Name	Product	Family	Severity
89105	VMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)	Nessus	Misc.	high
68304	Oracle Linux 5 : kernel (ELSA-2011-0927)	Nessus	Oracle Linux Local Security Checks	medium
61083	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
57749	VMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service Console	Nessus	VMware ESX Local Security Checks	high
57266	SuSE 10 Security Update : Xen (ZYPP Patch Number 7654)	Nessus	SuSE Local Security Checks	high
56618	SuSE 10 Security Update : Xen (ZYPP Patch Number 7703)	Nessus	SuSE Local Security Checks	medium
55609	CentOS 5 : kernel (CESA-2011:0927)	Nessus	CentOS Local Security Checks	medium
55597	RHEL 5 : kernel (RHSA-2011:0927)	Nessus	Red Hat Local Security Checks	medium
801507	CentOS RHSA-2011-0927 Security Check	Log Correlation Engine	Generic	high

CVE-2011-1936

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins