RHSA-2013:1166

RHSA-2013:1173

RHSA-2013:1450

[oss-security] 20130630 Re: CVE request: Kernel 2.6.32+ IP_RETOPTS Buffer Poisoning DoS

https://bugzilla.redhat.com/show_bug.cgi?id=979936

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries :

  - Kernel
  - Netscape Portable Runtime (NSPR)
  - Network Security Services (NSS)

Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 6.3 Extended Update Support.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important)

* An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible.
(CVE-2013-4299, Moderate)

* A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the 'fwpostfix' b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-2852, Low)

Red Hat would like to thank Fujitsu for reporting CVE-2013-4299, and Kees Cook for reporting CVE-2013-2852.

This update also fixes the following bugs :

* An insufficiently designed calculation in the CPU accelerator could cause an arithmetic overflow in the set_cyc2ns_scale() function if the system uptime exceeded 208 days prior to using kexec to boot into a new kernel. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) clock source, primarily the systems using Intel Xeon E5 processors that do not reset TSC on soft power cycles. A patch has been applied to modify the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances. (BZ#1004185)

* A race condition in the abort task and SPP device task management path of the isci driver could, under certain circumstances, cause the driver to fail cleaning up timed-out I/O requests that were pending on an SAS disk device. As a consequence, the kernel removed such a device from the system. A patch applied to the isci driver fixes this problem by sending the task management function request to the SAS drive anytime the abort function is entered and the task has not completed.
The driver now cleans up timed-out I/O requests as expected in this situation. (BZ#1007467)

* A kernel panic could occur during path failover on systems using multiple iSCSI, FC or SRP paths to connect an iSCSI initiator and an iSCSI target. This happened because a race condition in the SCSI driver allowed removing a SCSI device from the system before processing its run queue, which led to a NULL pointer dereference. The SCSI driver has been modified and the race is now avoided by holding a reference to a SCSI device run queue while it is active. (BZ#1008507)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

a. Update to ESX service console kernel

The ESX service console kernel is updated to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232 to these issues.

b. Update to ESX service console NSPR and NSS

This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0791 and CVE-2013-1620 to these issues.

This update fixes the following security issues :

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled duplicate cookies. If a local user queried SCTP     connection information at the same time a remote     attacker has initialized a crafted SCTP connection to     the system, it could trigger a NULL pointer dereference,     causing the system to crash. (CVE-2013-2206, Important)

  - It was found that the fix for CVE-2012-3552 released via     SLSA-2012:1304 introduced an invalid free flaw in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to corrupt     kernel memory via crafted sendmsg() calls, allowing them     to cause a denial of service or, potentially, escalate     their privileges on the system. (CVE-2013-2224,     Important)

  - A flaw was found in the Linux kernel's Performance     Events implementation. On systems with certain Intel     processors, a local, unprivileged user could use this     flaw to cause a denial of service by leveraging the perf     subsystem to write into the reserved bits of the     OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific     registers. (CVE-2013-2146, Moderate)

  - An invalid pointer dereference flaw was found in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to crash     the system or, potentially, escalate their privileges on     the system by using sendmsg() with an IPv6 socket     connected to an IPv4 destination. (CVE-2013-2232,     Moderate)

  - Information leak flaws in the Linux kernel's Bluetooth     implementation could allow a local, unprivileged user to     leak kernel memory to user- space. (CVE-2012-6544, Low)

  - An information leak flaw in the Linux kernel could allow     a privileged, local user to leak kernel memory to     user-space. (CVE-2013-2237, Low)

The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies.
If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important)

* It was found that the fix for CVE-2012-3552 released via RHSA-2012:1304 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important)

* A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers.
(CVE-2013-2146, Moderate)

* An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate)

* Information leak flaws in the Linux kernel's Bluetooth implementation could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2012-6544, Low)

* An information leak flaw in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space.
(CVE-2013-2237, Low)

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-1173 advisory.

  - The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain     structures, which allows local users to obtain sensitive information from kernel stack memory via a     crafted application that targets the (1) L2CAP or (2) HCI implementation. (CVE-2012-6544)

  - The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux     kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO     chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via crafted SCTP traffic. (CVE-2013-2206)

  - A certain Red Hat patch for the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows local     users to cause a denial of service (invalid free operation and system crash) or possibly gain privileges     via a sendmsg system call with the IP_RETOPTS option, as demonstrated by hemlock.c. NOTE: this     vulnerability exists because of an incorrect fix for CVE-2012-3552. (CVE-2013-2224)

  - The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users     to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4     interface. (CVE-2013-2232)

  - The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not     initialize a certain structure member, which allows local users to obtain sensitive information from     kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.
    (CVE-2013-2237)

  - arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events     Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of     service (general protection fault and system crash) by attempting to set a reserved bit. (CVE-2013-2146)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2013:1166 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies.
If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important)

* It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important)

* An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate)

* Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low)

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

This update fixes the following security issues :

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled duplicate cookies. If a local user queried SCTP     connection information at the same time a remote     attacker has initialized a crafted SCTP connection to     the system, it could trigger a NULL pointer dereference,     causing the system to crash. (CVE-2013-2206, Important)

  - It was found that the fix for CVE-2012-3552 released via     SLSA-2012:1540 introduced an invalid free flaw in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to corrupt     kernel memory via crafted sendmsg() calls, allowing them     to cause a denial of service or, potentially, escalate     their privileges on the system. (CVE-2013-2224,     Important)

  - An invalid pointer dereference flaw was found in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to crash     the system or, potentially, escalate their privileges on     the system by using sendmsg() with an IPv6 socket     connected to an IPv4 destination. (CVE-2013-2232,     Moderate)

  - Information leak flaws in the Linux kernel could allow a     privileged, local user to leak kernel memory to     user-space. (CVE-2013-2164, CVE-2013-2147,     CVE-2013-2234, CVE-2013-2237, Low)

The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies.
If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important)

* It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important)

* An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate)

* Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low)

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

ID	Name	Product	Family	Severity
89670	VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0015) (remote check)	Nessus	Misc.	medium
78974	RHEL 6 : kernel (RHSA-2013:1450)	Nessus	Red Hat Local Security Checks	medium
71245	VMSA-2013-0015 : VMware ESX updates to third-party libraries	Nessus	VMware ESX Local Security Checks	medium
69503	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20130827)	Nessus	Scientific Linux Local Security Checks	medium
69496	CentOS 6 : kernel (CESA-2013:1173)	Nessus	CentOS Local Security Checks	medium
69493	RHEL 6 : kernel (RHSA-2013:1173)	Nessus	Red Hat Local Security Checks	medium
69492	Oracle Linux 6 : kernel (ELSA-2013-1173)	Nessus	Oracle Linux Local Security Checks	medium
69456	Oracle Linux 5 : kernel (ELSA-2013-1166)	Nessus	Oracle Linux Local Security Checks	medium
69455	Oracle Linux 5 : kernel (ELSA-2013-1166-1)	Nessus	Oracle Linux Local Security Checks	medium
69440	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20130820)	Nessus	Scientific Linux Local Security Checks	medium
69434	CentOS 5 : kernel (CESA-2013:1166)	Nessus	CentOS Local Security Checks	medium
69413	RHEL 5 : kernel (RHSA-2013:1166)	Nessus	Red Hat Local Security Checks	medium

CVE-2013-2224

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium