http://blog.zx2c4.com/749

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

47708

USN-1336-1

VU#470151

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.2

[oss-security] 20120118 CVE request: kernel: proc: clean up and fix /proc/<pid>/mem handling

[oss-security] 20120117 Re: CVE request: kernel: proc: clean up and fix /proc/<pid>/mem handling

[oss-security] 20120119 Re: CVE request: kernel: proc: clean up and fix /proc/<pid>/mem handling

[oss-security] 20120122 Re: CVE request: kernel: proc: clean up and fix /proc/<pid>/mem handling

RHSA-2012:0052

RHSA-2012:0061

51625

https://bugzilla.redhat.com/show_bug.cgi?id=782642

Updated kernel-rt packages that fix one security issue are now available for Red Hat Enterprise MRG 2.1.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issue :

* It was found that permissions were not checked properly in the Linux kernel when handling the /proc/[pid]/mem writing functionality. A local, unprivileged user could use this flaw to escalate their privileges. Refer to Red Hat Knowledgebase article DOC-69129, linked to in the References, for further information. (CVE-2012-0056, Important)

Red Hat would like to thank Juri Aedla for reporting this issue.

Users should upgrade to these updated packages, which correct this issue. The system must be rebooted for this update to take effect.

The openSUSE 12.1 kernel was updated to 3.1.9 to fix bugs and security issues. The full list of changes in 3.1.9 is available here :

http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.9 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.8 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.7 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.6 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.5 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.4 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.3 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.2 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.1.2 

Following security issues have been fixed :

CVE-2011-2203: Missing NULL pointer check in hfs filesystem code

CVE-2011-4604: Fix possible kernel memory corruption if B.A.T.M.A.N.
mesh protocol is being used.

CVE-2012-0056: Local root vulnerability via writing to /proc/pid/mem

CVE-2012-0207: Remote DoS vulnerability via crafted IGMP packages.

Following non-security bug fixes have been added :

  - BTRFS support has been improved with many bug fixes.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-2001 advisory.

  - drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the     Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate     pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and     consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread     operations. (CVE-2010-2962)

  - The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check     permissions when writing to /proc//mem, which allows local users to gain privileges by modifying     process memory, as demonstrated by Mempodipper. (CVE-2012-0056)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2012-0052 advisory.

  - The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check     permissions when writing to /proc//mem, which allows local users to gain privileges by modifying     process memory, as demonstrated by Mempodipper. (CVE-2012-0056)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issue :

  - It was found that permissions were not checked properly     in the Linux kernel when handling the /proc/[pid]/mem     writing functionality. A local, unprivileged user could     use this flaw to escalate their privileges.
    (CVE-2012-0056, Important)

This update fixes the following bugs :

  - The 2.6.32-220.2.1.el6 kernel update introduced a bug in     the Linux kernel scheduler, causing a 'WARNING: at     kernel/sched.c:5915 thread_return' message and a call     trace to be logged. This message was harmless, and was     not due to any system malfunctions or adverse behavior.
    With this update, the WARN_ON_ONCE() call in the     scheduler that caused this harmless message has been     removed.

  - The 2.6.32-220.el6 kernel update introduced a regression     in the way the Linux kernel maps ELF headers for kernel     modules into kernel memory. If a third-party kernel     module is compiled on a Scientific Linux system with a     kernel prior to 2.6.32-220.el6, then loading that module     on a system with 2.6.32-220.el6 kernel would result in     corruption of one byte in the memory reserved for the     module. In some cases, this could prevent the module     from functioning correctly.

  - On some SMP systems the tsc may erroneously be marked as     unstable during early system boot or while the system is     under heavy load. A 'Clocksource tsc unstable' message     was logged when this occurred. As a result the system     would switch to the slower access, but higher precision     HPET clock.

The 'tsc=reliable' kernel parameter is supposed to avoid this problem by indicating that the system has a known good clock, however, the parameter only affected run time checks. A fix has been put in to avoid the boot time checks so that the TSC remains as the clock for the duration of system runtime.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

A flaw was discovered in the XFS filesystem. If a local user mounts a specially crafted XFS image it could potential execute arbitrary code on the system. (CVE-2012-0038)

Andy Whitcroft discovered a that the Overlayfs filesystem was not doing the extended permission checks needed by cgroups and Linux Security Modules (LSMs). A local user could exploit this to by-pass security policy and access files that should not be accessible.
(CVE-2012-0055)

Juri Aedla discovered that the kernel incorrectly handled /proc/<pid>/mem permissions. A local attacker could exploit this and gain root privileges. (CVE-2012-0056)

A flaw was found in the linux kernels IPv4 IGMP query processing. A remote attacker could exploit this to cause a denial of service.
(CVE-2012-0207)

Juri Aedla discovered that the kernel incorrectly handled /proc/<pid>/mem permissions. A local attacker could exploit this and gain root privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Rebase F16 to the 3.2.1 stable release. Also fixes CVEs :

  - CVE-2012-0056

    - CVE-2011-4127

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to the 3.1.10 stable release (Fedora 2.6.41.10). Also fixes CVEs :

  - CVE-2012-0056

    - CVE-2011-4127

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix one security issue and three bugs are now available for for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issue :

* It was found that permissions were not checked properly in the Linux kernel when handling the /proc/[pid]/mem writing functionality. A local, unprivileged user could use this flaw to escalate their privileges. Refer to Red Hat Knowledgebase article DOC-69129, linked to in the References, for further information. (CVE-2012-0056, Important)

Red Hat would like to thank Juri Aedla for reporting this issue.

This update fixes the following bugs :

* The RHSA-2011:1849 kernel update introduced a bug in the Linux kernel scheduler, causing a 'WARNING: at kernel/sched.c:5915 thread_return' message and a call trace to be logged. This message was harmless, and was not due to any system malfunctions or adverse behavior. With this update, the WARN_ON_ONCE() call in the scheduler that caused this harmless message has been removed. (BZ#768288)

* The RHSA-2011:1530 kernel update introduced a regression in the way the Linux kernel maps ELF headers for kernel modules into kernel memory. If a third-party kernel module is compiled on a Red Hat Enterprise Linux system with a kernel prior to RHSA-2011:1530, then loading that module on a system with RHSA-2011:1530 kernel would result in corruption of one byte in the memory reserved for the module. In some cases, this could prevent the module from functioning correctly. (BZ#769595)

* On some SMP systems the tsc may erroneously be marked as unstable during early system boot or while the system is under heavy load. A 'Clocksource tsc unstable' message was logged when this occurred. As a result the system would switch to the slower access, but higher precision HPET clock.

The 'tsc=reliable' kernel parameter is supposed to avoid this problem by indicating that the system has a known good clock, however, the parameter only affected run time checks. A fix has been put in to avoid the boot time checks so that the TSC remains as the clock for the duration of system runtime. (BZ#755867)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Clement Lecigne discovered a bug in the HFS filesystem. A local attacker could exploit this to cause a kernel oops. (CVE-2011-2203)

A bug was discovered in the XFS filesystem's handling of pathnames. A local attacker could exploit this to crash the system, leading to a denial of service, or gain root privileges. (CVE-2011-4077)

A flaw was found in how the Linux kernel handles user-defined key types. An unprivileged local user could exploit this to crash the system. (CVE-2011-4110)

A flaw was found in the Journaling Block Device (JBD). A local attacker able to mount ext3 or ext4 file systems could exploit this to crash the system, leading to a denial of service. (CVE-2011-4132)

Clement Lecigne discovered a bug in the HFS file system bounds checking. When a malformed HFS file system is mounted a local user could crash the system or gain root privileges. (CVE-2011-4330)

Chen Haogang discovered an integer overflow that could result in memory corruption. A local unprivileged user could use this to crash the system. (CVE-2012-0044)

Juri Aedla discovered that the kernel incorrectly handled /proc/<pid>/mem permissions. A local attacker could exploit this and gain root privileges. (CVE-2012-0056).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-0052.

ID	Name	Product	Family	Severity
76636	RHEL 6 : MRG (RHSA-2012:0061)	Nessus	Red Hat Local Security Checks	medium
74767	openSUSE Security Update : kernel (openSUSE-2012-65)	Nessus	SuSE Local Security Checks	high
68668	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2001)	Nessus	Oracle Linux Local Security Checks	high
68435	Oracle Linux 6 : kernel (ELSA-2012-0052)	Nessus	Oracle Linux Local Security Checks	medium
61221	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20120123)	Nessus	Scientific Linux Local Security Checks	medium
57938	USN-1364-1 : linux-ti-omap4 vulnerabilities	Nessus	Ubuntu Local Security Checks	high
57697	Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerability (USN-1342-1)	Nessus	Ubuntu Local Security Checks	medium
57674	Fedora 16 : kernel-3.2.1-3.fc16 (2012-0876)	Nessus	Fedora Local Security Checks	medium
57673	Fedora 15 : kernel-2.6.41.10-3.fc15 (2012-0861)	Nessus	Fedora Local Security Checks	medium
57669	CentOS 6 : kernel (CESA-2012:0052)	Nessus	CentOS Local Security Checks	medium
57660	Ubuntu 11.10 : linux vulnerability (USN-1336-1)	Nessus	Ubuntu Local Security Checks	high
57657	RHEL 6 : kernel (RHSA-2012:0052)	Nessus	Red Hat Local Security Checks	medium
801511	CentOS RHSA-2012-0052 Security Check	Log Correlation Engine	Generic	high

CVE-2012-0056

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

high

high

medium

medium

high

medium

medium

medium

medium

high

medium

high