http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fa3d315a4ce2c0891cdde262562e710d95fba19e

http://web.archive.org/web/20130329070349/http://ftp.osuosl.org/pub/linux/kernel/v3.0/ChangeLog-3.0

USN-1939-1

https://bugzilla.redhat.com/show_bug.cgi?id=950490

https://github.com/torvalds/linux/commit/fa3d315a4ce2c0891cdde262562e710d95fba19e

Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit this flaw to run commands as root when using the perf tool. (CVE-2013-1060)

Michael S. Tsirkin discovered a flaw in how the Linux kernel's KVM subsystem allocates memory slots for the guest's address space. A local user could exploit this flaw to gain system privileges or obtain sensitive information from kernel memory. (CVE-2013-1943)

A flaw was discovered in the SCTP (stream control transfer protocol) network protocol's handling of duplicate cookies in the Linux kernel.
A remote attacker could exploit this flaw to cause a denial of service (system crash) on another remote user querying the SCTP connection.
(CVE-2013-2206)

Hannes Frederic Sowa discovered a flaw in setsockopt UDP_CORK option in the Linux kernel's IPv6 stack. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4162).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-2534 advisory.

  - block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during     authorization of SCSI commands, which allows local users to bypass intended access restrictions via an     SG_IO ioctl call that leverages overlapping opcodes. (CVE-2012-4542)

  - The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return     value in certain circumstances, which allows local users to obtain sensitive information from kernel stack     memory via a crafted application that leverages an uninitialized pointer argument. (CVE-2012-6542)

  - The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified     during allocation of memory slots for use in a guest's physical address space, which allows local users to     gain privileges or obtain sensitive information from kernel memory via a crafted application, related to     arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (CVE-2013-1943)

  - Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the     Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital     Product Data (VPD) data structure. (CVE-2013-1929)

  - Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux     kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or     possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0911 advisory.

  - A certain Red Hat patch to the KVM subsystem in the kernel package before 2.6.32-358.11.1.el6 on Red Hat     Enterprise Linux (RHEL) 6 does not properly implement the PV EOI feature, which allows guest OS users to     cause a denial of service (host OS crash) by leveraging a time window during which interrupts are disabled     but copy_to_user function calls are possible. (CVE-2013-1935)

  - The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified     during allocation of memory slots for use in a guest's physical address space, which allows local users to     gain privileges or obtain sensitive information from kernel memory via a crafted application, related to     arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (CVE-2013-1943)

  - The veth (aka virtual Ethernet) driver in the Linux kernel before 2.6.34 does not properly manage skbs     during congestion, which allows remote attackers to cause a denial of service (system crash) by leveraging     lack of skb consumption in conjunction with a double-free error. (CVE-2013-2017)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated kernel packages that fix three security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the way KVM (Kernel-based Virtual Machine) initialized a guest's registered pv_eoi (paravirtualized end-of-interrupt) indication flag when entering the guest. An unprivileged guest user could potentially use this flaw to crash the host. (CVE-2013-1935, Important)

* A missing sanity check was found in the kvm_set_memory_region() function in KVM, allowing a user-space process to register memory regions pointing to the kernel address space. A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2013-1943, Important)

* A double free flaw was found in the Linux kernel's Virtual Ethernet Tunnel driver (veth). A remote attacker could possibly use this flaw to crash a target system. (CVE-2013-2017, Moderate)

Red Hat would like to thank IBM for reporting the CVE-2013-1935 issue and Atzm WATANABE of Stratosphere Inc. for reporting the CVE-2013-2017 issue. The CVE-2013-1943 issue was discovered by Michael S. Tsirkin of Red Hat.

This update also fixes several bugs and adds one enhancement.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.
The system must be rebooted for this update to take effect.

This update fixes the following security issues :

  - A flaw was found in the way KVM (Kernel-based Virtual     Machine) initialized a guest's registered pv_eoi     (paravirtualized end-of-interrupt) indication flag when     entering the guest. An unprivileged guest user could     potentially use this flaw to crash the host.
    (CVE-2013-1935, Important)

  - A missing sanity check was found in the     kvm_set_memory_region() function in KVM, allowing a     user-space process to register memory regions pointing     to the kernel address space. A local, unprivileged user     could use this flaw to escalate their privileges.
    (CVE-2013-1943, Important)

  - A double free flaw was found in the Linux kernel's     Virtual Ethernet Tunnel driver (veth). A remote attacker     could possibly use this flaw to crash a target system.
    (CVE-2013-2017, Moderate)

The system must be rebooted for this update to take effect.

ID	Name	Product	Family	Severity
83611	SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)	Nessus	SuSE Local Security Checks	high
69808	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1940-1)	Nessus	Ubuntu Local Security Checks	medium
69807	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1939-1)	Nessus	Ubuntu Local Security Checks	medium
68856	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel Security (ELSA-2013-2534)	Nessus	Oracle Linux Local Security Checks	high
68834	Oracle Linux 6 : kernel (ELSA-2013-0911)	Nessus	Oracle Linux Local Security Checks	high
66887	CentOS 6 : kernel (CESA-2013:0911)	Nessus	CentOS Local Security Checks	high
66884	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20130610)	Nessus	Scientific Linux Local Security Checks	high
66853	RHEL 6 : kernel (RHSA-2013:0911)	Nessus	Red Hat Local Security Checks	high

CVE-2013-1943

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

medium

medium

high

high

high

high

high