Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)

This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with
this advisory :

- Multiple race conditions in the terminal layer of 2.4
and 2.6 kernels (prior to 2.6.9) can allow a local
attacker to obtain portions of kernel data or allow
remote attackers to cause a kernel panic by switching
from console to PPP line discipline, then quickly
sending data that is received during the switch
(CVE-2004-0814)

- Richard Hart found an integer underflow problem in the
iptables firewall logging rules that can allow a remote
attacker to crash the machine by using a specially
crafted IP packet. This is only possible, however, if
firewalling is enabled. The problem only affects 2.6
kernels and was fixed upstream in 2.6.8 (CVE-2004-0816)

- Stefan Esser found several remote DoS confitions in the
smbfs file system. This could be exploited by a hostile
SMB server (or an attacker injecting packets into the
network) to crash the client systems (CVE-2004-0883 and
CVE-2004-0949)

- Paul Starzetz and Georgi Guninski reported,
independently, that bad argument handling and bad
integer arithmetics in the IPv4 sendmsg handling of
control messages could lead to a local attacker crashing
the machine. The fixes were done by Herbert Xu
(CVE-2004-1016)

- Rob Landley discovered a race condition in the handling
of /proc/.../cmdline where, under rare circumstances, a
user could read the environment variables of another
process that was still spawning leading to the potential
disclosure of sensitive information such as passwords
(CVE-2004-1058)

- Paul Starzetz reported that the missing serialization in
unix_dgram_recvmsg() which was added to kernel 2.4.28
can be used by a local attacker to gain elevated (root)
privileges (CVE-2004-1068)

- Ross Kendall Axe discovered a possible kernel panic
(DoS) while sending AF_UNIX network packets if certain
SELinux-related kernel options were enabled. By default
the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX
options are not enabled (CVE-2004-1069)

- Paul Starzetz of isec.pl discovered several issues with
the error handling of the ELF loader routines in the
kernel. The fixes were provided by Chris Wright
(CVE-2004-1070, CVE-2004-1071, CVE-2004-1072,
CVE-2004-1073)

- It was discovered that hand-crafted a.out binaries could
be used to trigger a local DoS condition in both the 2.4
and 2.6 kernels. The fixes were done by Chris Wright
(CVE-2004-1074)

- Paul Starzetz found bad handling in the IGMP code which
could lead to a local attacker being able to crash the
machine. The fix was done by Chris Wright
(CVE-2004-1137)

- Jeremy Fitzhardinge discovered two buffer overflows in
the sys32_ni_syscall() and sys32_vm86_warning()
functions that could be used to overwrite kernel memory
with attacker-supplied code resulting in privilege
escalation (CVE-2004-1151)

- Paul Starzetz found locally exploitable flaws in the
binary format loader's uselib() function that could be
abused to allow a local user to obtain root privileges
(CVE-2004-1235)

- Paul Starzetz found an exploitable flaw in the page
fault handler when running on SMP machines
(CVE-2005-0001)

- A vulnerability in insert_vm_struct could allow a locla
user to trigger BUG() when the user created a large vma
that overlapped with arg pages during exec
(CVE-2005-0003)

- Paul Starzetz also found a number of vulnerabilities in
the kernel binfmt_elf loader that could lead a local
user to obtain elevated (root) privileges
(isec-0017-binfmt_elf)

The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandrakesoft.com/security/kernelupdate

PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the
latest module-init-tools package prior to upgrading their kernel.
Likewise, MNF8.2 users will need to upgrade to the latest modutils
package prior to upgrading their kernel.

See also :

http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt
http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1222.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now