RHEL 6 : MRG (RHSA-2012:0670)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated kernel-rt packages that fix two security issues and various
bugs are now available for Red Hat Enterprise MRG 2.1.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

This update fixes the following security issues :

* When a set user ID (setuid) application is executed, certain
personality flags for controlling the application's behavior are
cleared (that is, a privileged application will not be affected by
those flags). It was found that those flags were not cleared if the
application was made privileged via file system capabilities. A local,
unprivileged user could use this flaw to change the behavior of such
applications, allowing them to bypass intended restrictions. Note that
for default installations, no application shipped by Red Hat for Red
Hat Enterprise MRG is made privileged via file system capabilities.
(CVE-2012-2123, Important)

* A flaw was found in the way the Linux kernel's
journal_unmap_buffer() function handled buffer head states. On systems
that have an ext4 file system with a journal mounted, a local,
unprivileged user could use this flaw to cause a denial of service.
(CVE-2011-4086, Moderate)

This update also fixes the following bugs :

* The CAP_SYS_ADMIN check was missing from the dmesg_restrict feature.
Consequently, an unprivileged and jailed root user could bypass the
dmesg_restrict protection. This update adds CAP_SYS_ADMIN to both
dmesg_restrict and kptr_restrict, which only allows writing to
dmesg_restrict when root has CAP_SYS_ADMIN. (BZ#808271)

* Previously, the _copy_from_pages() function, which is used to copy
data from the temporary buffer to the user-passed buffer, was passed
the wrong size parameter when copying data. Consequently, if the user
provided a buffer greater than PAGE_SIZE, the getxattr() syscalls were
handled incorrectly. This update fixes _copy_from_pages() to use the
ACL length, which uses a correctly-sized buffer. (BZ#753230)

* Some older versions of hardware or their software could not
recognize certain commands and would log messages for illegal or
unsupported errors the driver could not properly handle. This bug has
been fixed and no bogus error messages are now returned in the
described scenario. (BZ#813892)

* Previously, the qla2x00_poll() function did the local_irq_save()
call before calling qla24xx_intr_handler(), which had a spinlock.
Since spinlocks are sleepable in the real-time kernel, it is not
allowed to call them with interrupts disabled. This scenario produced
error messages and could cause a system deadlock. With this update,
the local_irq_save_nort(flags) function is used to save flags without
disabling interrupts, which prevents potential deadlocks and removes
the error messages. (BZ#818220)

Users should upgrade to these updated packages, which correct these
issues. The system must be rebooted for this update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2011-4086.html
https://www.redhat.com/security/data/cve/CVE-2012-2123.html
http://rhn.redhat.com/errata/RHSA-2012-0670.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 76644 ()

Bugtraq ID: 51945
53166

CVE ID: CVE-2011-4086
CVE-2012-2123

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now