Debian DSA-1655-1 : linux-2.6.24 - denial of service/information leak/privilege escalation

high Nessus Plugin ID 34444
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a leak of sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2008-1514 Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic.

- CVE-2008-3525 Eugene Teo reported a lack of capability checks in the kernel driver for Granch SBNI12 leased line adapters (sbni), allowing local users to perform privileged operations.

- CVE-2008-3831 Olaf Kirch discovered an issue with the i915 driver that may allow local users to cause memory corruption by use of an ioctl with insufficient privilege restrictions.

- CVE-2008-4113/ CVE-2008-4445 Eugene Teo discovered two issues in the SCTP subsystem which allow local users to obtain access to sensitive memory when the SCTP-AUTH extension is enabled.

Solution

Upgrade the linux-2.6.24 packages.

For the stable distribution (etch), these problems have been fixed in version 2.6.24-6~etchnhalf.6.

See Also

https://security-tracker.debian.org/tracker/CVE-2008-1514

https://security-tracker.debian.org/tracker/CVE-2008-3525

https://security-tracker.debian.org/tracker/CVE-2008-3831

https://security-tracker.debian.org/tracker/CVE-2008-4113

https://security-tracker.debian.org/tracker/CVE-2008-4445

https://www.debian.org/security/2008/dsa-1655

Plugin Details

Severity: High

ID: 34444

File Name: debian_DSA-1655.nasl

Version: 1.17

Type: local

Agent: unix

Published: 10/20/2008

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.2

Temporal Score: 5.6

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:linux-2.6.24, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/16/2008

Reference Information

CVE: CVE-2008-1514, CVE-2008-3525, CVE-2008-3831, CVE-2008-4113, CVE-2008-4445

BID: 31177

DSA: 1655

CWE: 200, 264, 399