Oracle Linux 5 : Oracle / Linux / 5.6 / kernel (ELSA-2011-0017)

medium Nessus Plugin ID 181032

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0017 advisory.

- The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call. (CVE-2010-3296)

- The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3877)

- The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the old shm interface. (CVE-2010-4072)

- The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. (CVE-2010-4073)

- The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4075)

- The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call. (CVE-2010-4080)

- The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call. (CVE-2010-4081)

- The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter. (CVE-2010-4158)

- The vbd_create function in Xen 3.1.2, when the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 is used, allows guest OS users to cause a denial of service (host OS panic) via an attempted access to a virtual CD-ROM device through the blkback driver. NOTE: some of these details are obtained from third party information. (CVE-2010-4238)

- fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an OOM dodging issue, a related issue to CVE-2010-3858. (CVE-2010-4243)

- The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled, does not verify that kernel mode is used to call the handle_gdt_ldt_mapping_fault function, which allows guest OS users to cause a denial of service (host OS BUG_ON) via a crafted memory access. (CVE-2010-4255)

- The igb_receive_skb function in drivers/net/igb/igb_main.c in the Intel Gigabit Ethernet (aka igb) subsystem in the Linux kernel before 2.6.34, when Single Root I/O Virtualization (SR-IOV) and promiscuous mode are enabled but no VLANs are registered, allows remote attackers to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via a VLAN tagged frame.
(CVE-2010-4263)

- drivers/scsi/bfa/bfa_core.c in the Linux kernel before 2.6.35 does not initialize a certain port data structure, which allows local users to cause a denial of service (system crash) via read operations on an fc_host statistics file. (CVE-2010-4343)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2011-0017.html

Plugin Details

Severity: Medium

ID: 181032

File Name: oraclelinux_ELSA-2011-0017.nasl

Version: 1.0

Type: local

Agent: unix

Published: 9/7/2023

Updated: 9/7/2023

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

CVSS v2

Risk Factor: High

Base Score: 7.9

Temporal Score: 6.2

Vector: CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2010-4263

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2010-4343

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-debug, p-cpe:/a:oracle:linux:kernel-xen-devel, p-cpe:/a:oracle:linux:ocfs2-2.6.18-238.el5, p-cpe:/a:oracle:linux:kernel, p-cpe:/a:oracle:linux:kernel-devel, cpe:/o:oracle:linux:5, p-cpe:/a:oracle:linux:ocfs2-2.6.18-238.el5xen, p-cpe:/a:oracle:linux:oracleasm-2.6.18-238.el5xen, p-cpe:/a:oracle:linux:kernel-pae, p-cpe:/a:oracle:linux:kernel-debug-devel, p-cpe:/a:oracle:linux:oracleasm-2.6.18-238.el5, p-cpe:/a:oracle:linux:kernel-headers, p-cpe:/a:oracle:linux:ocfs2-2.6.18-238.el5pae, p-cpe:/a:oracle:linux:ocfs2-2.6.18-238.el5debug, p-cpe:/a:oracle:linux:oracleasm-2.6.18-238.el5debug, p-cpe:/a:oracle:linux:kernel-pae-devel, p-cpe:/a:oracle:linux:oracleasm-2.6.18-238.el5pae, p-cpe:/a:oracle:linux:kernel-xen

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/20/2011

Vulnerability Publication Date: 5/21/2010

Reference Information

CVE: CVE-2010-3296, CVE-2010-3877, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4158, CVE-2010-4238, CVE-2010-4243, CVE-2010-4255, CVE-2010-4263, CVE-2010-4343