[oss-security] 20120321 Re: CVE request -- kernel: execshield: predictable ascii armour base address

http://scarybeastsecurity.blogspot.com/2012/03/some-random-observations-on-linux-aslr.html

[oss-security] 20120320 Re: CVE request -- kernel: execshield: predictable ascii armour base address

https://bugzilla.redhat.com/show_bug.cgi?id=804947

https://oss.oracle.com/git/?p=redpatch.git;a=commit;h=302a4fc15aebf202b6dffd6c804377c6058ee6e4

The ExecShield feature does not properly handle use of many shared libraries by a 32-bit executable file, which makes it easier for context-dependent attackers to bypass the ASLR protection mechanism by leveraging a predictable base address for one of these libraries.

A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges.
(CVE-2012-2133 , Moderate)

A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511 , Moderate)

It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568 , Low)

Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges.
(CVE-2012-3400 , Low)

From Red Hat Security Advisory 2013:0168 :

Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation did not perform range checking on the guest provided values in multiple hypercalls. A privileged guest user could use this flaw to trigger long loops, leading to a denial of service (Xen hypervisor hang). (CVE-2012-5515, Moderate)

* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low)

* A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system. (CVE-2012-4444, Low)

Red Hat would like to thank the Xen project for reporting CVE-2012-5515, and Antonios Atlasis working with Beyond Security's SecuriTeam Secure Disclosure program and Loganaden Velvindron of AFRINIC for reporting CVE-2012-4444.

This update also fixes several bugs. Space precludes documenting all of these changes in this advisory. Documentation for these changes will be available shortly from the Red Hat Enterprise Linux 5.9 Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-1426 advisory.

  - The ExecShield feature in a certain Red Hat patch for the Linux kernel in Red Hat Enterprise Linux (RHEL)     5 and 6 and Fedora 15 and 16 does not properly handle use of many shared libraries by a 32-bit executable     file, which makes it easier for context-dependent attackers to bypass the ASLR protection mechanism by     leveraging a predictable base address for one of these libraries. (CVE-2012-1568)

  - Use-after-free vulnerability in the Linux kernel before 3.3.6, when huge pages are enabled, allows local     users to cause a denial of service (system crash) or possibly gain privileges by interacting with a     hugetlbfs filesystem, as demonstrated by a umount operation that triggers improper handling of quota data.
    (CVE-2012-2133)

  - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel     before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have     unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400)

  - Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5     allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a     (1) munmap or (2) close system call. (CVE-2012-3511)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update fixes the following security issues :

  - It was found that the Xen hypervisor implementation did     not perform range checking on the guest provided values     in multiple hypercalls. A privileged guest user could     use this flaw to trigger long loops, leading to a denial     of service (Xen hypervisor hang). (CVE-2012-5515,     Moderate)

  - It was found that when running a 32-bit binary that uses     a large number of shared libraries, one of the libraries     would always be loaded at a predictable address in     memory. An attacker could use this flaw to bypass the     Address Space Layout Randomization (ASLR) security     feature. (CVE-2012-1568, Low)

  - A flaw was found in the way the Linux kernel's IPv6     implementation handled overlapping, fragmented IPv6     packets. A remote attacker could potentially use this     flaw to bypass protection mechanisms (such as a firewall     or intrusion detection system (IDS)) when sending     network packets to a target system. (CVE-2012-4444, Low)

The system must be rebooted for this update to take effect.

Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation did not perform range checking on the guest provided values in multiple hypercalls. A privileged guest user could use this flaw to trigger long loops, leading to a denial of service (Xen hypervisor hang). (CVE-2012-5515, Moderate)

* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low)

* A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system. (CVE-2012-4444, Low)

Red Hat would like to thank the Xen project for reporting CVE-2012-5515, and Antonios Atlasis working with Beyond Security's SecuriTeam Secure Disclosure program and Loganaden Velvindron of AFRINIC for reporting CVE-2012-4444.

This update also fixes several bugs. Space precludes documenting all of these changes in this advisory. Documentation for these changes will be available shortly from the Red Hat Enterprise Linux 5.9 Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges.
(CVE-2012-2133, Moderate)

* A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate)

* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low)

* Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low)

Red Hat would like to thank Shachar Raindel for reporting CVE-2012-2133.

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

* A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges.
(CVE-2012-2133, Moderate)

* A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate)

* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low)

* Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low)

This update also fixes several bugs.

The system must be rebooted for this update to take effect.

This update of Samba includes the following fixes for two security issues :

  - Ensure that users cannot hand out their own privileges     to everyone, only administrators are allowed to do that.
    (CVE-2012-2111)

  - mount.cifs no longer allows unprivileged users to mount     onto dirs that are not accessible to them.
    (CVE-2012-1586)

Fixes CVE-2012-1568

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to the 3.2.10 stable release, which contains a number of fixes across the kernel.

Fixes CVE-2012-1146 Fixes CVE-2012-1179

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fixes CVE-2012-1568

Also fixes a use-after-free issue in mac80211

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2013-0168.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-1426.

ID	Name	Product	Family	Severity
69665	Amazon Linux AMI : kernel (ALAS-2012-58)	Nessus	Amazon Linux Local Security Checks	low
69632	Amazon Linux AMI : kernel (ALAS-2012-142)	Nessus	Amazon Linux Local Security Checks	high
68711	Oracle Linux 5 : kernel (ELSA-2013-0168)	Nessus	Oracle Linux Local Security Checks	medium
68710	Oracle Linux 5 : kernel (ELSA-2013-0168-1)	Nessus	Oracle Linux Local Security Checks	medium
68651	Oracle Linux 6 : kernel (ELSA-2012-1426)	Nessus	Oracle Linux Local Security Checks	high
63677	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20130122)	Nessus	Scientific Linux Local Security Checks	medium
63670	CentOS 5 : kernel (CESA-2013:0168)	Nessus	CentOS Local Security Checks	medium
63662	RHEL 5 : kernel (RHSA-2013:0168)	Nessus	Red Hat Local Security Checks	medium
62862	CentOS 6 : kernel (CESA-2012:1426)	Nessus	CentOS Local Security Checks	high
62858	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20121106)	Nessus	Scientific Linux Local Security Checks	high
62833	RHEL 6 : kernel (RHSA-2012:1426)	Nessus	Red Hat Local Security Checks	high
58941	SuSE 11.1 Security Update : Samba (SAT Patch Number 6210)	Nessus	SuSE Local Security Checks	medium
58701	Fedora 17 : kernel-3.3.0-5.fc17 (2012-4761)	Nessus	Fedora Local Security Checks	low
58488	Fedora 15 : kernel-2.6.42.12-1.fc15 (2012-3715)	Nessus	Fedora Local Security Checks	critical
58421	Fedora 16 : kernel-3.3.0-4.fc16 (2012-4410)	Nessus	Fedora Local Security Checks	low
801533	CentOS RHSA-2013-0168 Security Check	Log Correlation Engine	Generic	high
801529	CentOS RHSA-2012-1426 Security Check	Log Correlation Engine	Generic	high

CVE-2012-1568

low

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

low

high

medium

medium

high

medium

medium

medium

high

high

high

medium

low

critical

low

high

high