SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4039 / 4042 / 4043)

High Nessus Plugin ID 52597

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.29 and fixes various bugs and security issues.

- The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3875)

- net/packet/af_packet.c in the Linux kernel did not properly initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures. (CVE-2010-3876)

- The get_name function in net/tipc/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3877)

- The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel did not properly validate the hmac_ids array of an SCTP peer, which allowed remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array. (CVE-2010-3705)

- A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed. (CVE-2011-0711)

- Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c. (CVE-2011-0712)

- The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel on the s390 platform allowed local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/.
(CVE-2011-0710)

- The xfs implementation in the Linux kernel did not look up inode allocation btrees before reading inode buffers, which allowed remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle. (CVE-2010-2943)

- The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4075)

- The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4076)

- The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4077)

- fs/exec.c in the Linux kernel did not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an OOM dodging issue, a related issue to CVE-2010-3858.
(CVE-2010-4243)

- The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel allowed local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163. (CVE-2010-4668)

- Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel on platforms other than x86 allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call. (CVE-2010-4529)

- The aun_incoming function in net/econet/af_econet.c in the Linux kernel, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP. (CVE-2010-4342)

- The backend driver in Xen 3.x allowed guest OS users to cause a denial of service via a kernel thread leak, which prevented the device and guest OS from being shut down or create a zombie domain, causing a hang in zenwatch, or preventing unspecified xm commands from working properly, related to (1) netback, (2) blkback, or (3) blktap. (CVE-2010-3699)

- The install_special_mapping function in mm/mmap.c in the Linux kernel did not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application. (CVE-2010-4346)

- Fixed a verify_ioctl overflow in 'cuse' in the fuse filesystem. The code should only be called by root users though. (CVE-2010-4650)

- Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in the Linux kernel allowed remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user, which causes the socket to be freed and triggers list corruption, related to the sctp_wait_for_connect function. (CVE-2010-4526)

- The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel incorrectly expected that a certain name field ends with a '0' character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call. (CVE-2010-4527)

- Fixed a LSM bug in IMA (Integrity Measuring Architecture). IMA is not enabled in SUSE kernels, so we were not affected. (CVE-2011-0006)

Solution

Apply SAT patch number 4039 / 4042 / 4043 as appropriate.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=466279

https://bugzilla.novell.com/show_bug.cgi?id=552250

https://bugzilla.novell.com/show_bug.cgi?id=564423

https://bugzilla.novell.com/show_bug.cgi?id=602969

https://bugzilla.novell.com/show_bug.cgi?id=620929

https://bugzilla.novell.com/show_bug.cgi?id=622868

https://bugzilla.novell.com/show_bug.cgi?id=623393

https://bugzilla.novell.com/show_bug.cgi?id=625965

https://bugzilla.novell.com/show_bug.cgi?id=629170

https://bugzilla.novell.com/show_bug.cgi?id=630970

https://bugzilla.novell.com/show_bug.cgi?id=632317

https://bugzilla.novell.com/show_bug.cgi?id=633026

https://bugzilla.novell.com/show_bug.cgi?id=636435

https://bugzilla.novell.com/show_bug.cgi?id=638258

https://bugzilla.novell.com/show_bug.cgi?id=640850

https://bugzilla.novell.com/show_bug.cgi?id=642309

https://bugzilla.novell.com/show_bug.cgi?id=643266

https://bugzilla.novell.com/show_bug.cgi?id=643513

https://bugzilla.novell.com/show_bug.cgi?id=648647

https://bugzilla.novell.com/show_bug.cgi?id=648701

https://bugzilla.novell.com/show_bug.cgi?id=648916

https://bugzilla.novell.com/show_bug.cgi?id=649473

https://bugzilla.novell.com/show_bug.cgi?id=650067

https://bugzilla.novell.com/show_bug.cgi?id=650366

https://bugzilla.novell.com/show_bug.cgi?id=650748

https://bugzilla.novell.com/show_bug.cgi?id=651152

https://bugzilla.novell.com/show_bug.cgi?id=652391

https://bugzilla.novell.com/show_bug.cgi?id=655220

https://bugzilla.novell.com/show_bug.cgi?id=655278

https://bugzilla.novell.com/show_bug.cgi?id=655964

https://bugzilla.novell.com/show_bug.cgi?id=657248

https://bugzilla.novell.com/show_bug.cgi?id=657763

https://bugzilla.novell.com/show_bug.cgi?id=658037

https://bugzilla.novell.com/show_bug.cgi?id=658254

https://bugzilla.novell.com/show_bug.cgi?id=658337

https://bugzilla.novell.com/show_bug.cgi?id=658353

https://bugzilla.novell.com/show_bug.cgi?id=658461

https://bugzilla.novell.com/show_bug.cgi?id=658551

https://bugzilla.novell.com/show_bug.cgi?id=658720

https://bugzilla.novell.com/show_bug.cgi?id=659101

https://bugzilla.novell.com/show_bug.cgi?id=659394

https://bugzilla.novell.com/show_bug.cgi?id=659419

https://bugzilla.novell.com/show_bug.cgi?id=660546

https://bugzilla.novell.com/show_bug.cgi?id=661605

https://bugzilla.novell.com/show_bug.cgi?id=661945

https://bugzilla.novell.com/show_bug.cgi?id=662031

https://bugzilla.novell.com/show_bug.cgi?id=662192

https://bugzilla.novell.com/show_bug.cgi?id=662202

https://bugzilla.novell.com/show_bug.cgi?id=662212

https://bugzilla.novell.com/show_bug.cgi?id=662335

https://bugzilla.novell.com/show_bug.cgi?id=662340

https://bugzilla.novell.com/show_bug.cgi?id=662360

https://bugzilla.novell.com/show_bug.cgi?id=662673

https://bugzilla.novell.com/show_bug.cgi?id=662722

https://bugzilla.novell.com/show_bug.cgi?id=662800

https://bugzilla.novell.com/show_bug.cgi?id=662931

https://bugzilla.novell.com/show_bug.cgi?id=662945

https://bugzilla.novell.com/show_bug.cgi?id=663537

https://bugzilla.novell.com/show_bug.cgi?id=663582

https://bugzilla.novell.com/show_bug.cgi?id=663706

https://bugzilla.novell.com/show_bug.cgi?id=664149

https://bugzilla.novell.com/show_bug.cgi?id=664463

https://bugzilla.novell.com/show_bug.cgi?id=665480

https://bugzilla.novell.com/show_bug.cgi?id=665499

https://bugzilla.novell.com/show_bug.cgi?id=665524

https://bugzilla.novell.com/show_bug.cgi?id=665663

https://bugzilla.novell.com/show_bug.cgi?id=666012

https://bugzilla.novell.com/show_bug.cgi?id=666893

https://bugzilla.novell.com/show_bug.cgi?id=668545

https://bugzilla.novell.com/show_bug.cgi?id=668633

https://bugzilla.novell.com/show_bug.cgi?id=668929

https://bugzilla.novell.com/show_bug.cgi?id=670129

https://bugzilla.novell.com/show_bug.cgi?id=670577

https://bugzilla.novell.com/show_bug.cgi?id=670864

https://bugzilla.novell.com/show_bug.cgi?id=671256

https://bugzilla.novell.com/show_bug.cgi?id=671274

https://bugzilla.novell.com/show_bug.cgi?id=671483

https://bugzilla.novell.com/show_bug.cgi?id=672292

https://bugzilla.novell.com/show_bug.cgi?id=672492

https://bugzilla.novell.com/show_bug.cgi?id=672499

https://bugzilla.novell.com/show_bug.cgi?id=672524

https://bugzilla.novell.com/show_bug.cgi?id=674735

http://support.novell.com/security/cve/CVE-2010-2943.html

http://support.novell.com/security/cve/CVE-2010-3699.html

http://support.novell.com/security/cve/CVE-2010-3705.html

http://support.novell.com/security/cve/CVE-2010-3858.html

http://support.novell.com/security/cve/CVE-2010-3875.html

http://support.novell.com/security/cve/CVE-2010-3876.html

http://support.novell.com/security/cve/CVE-2010-3877.html

http://support.novell.com/security/cve/CVE-2010-4075.html

http://support.novell.com/security/cve/CVE-2010-4076.html

http://support.novell.com/security/cve/CVE-2010-4077.html

http://support.novell.com/security/cve/CVE-2010-4163.html

http://support.novell.com/security/cve/CVE-2010-4243.html

http://support.novell.com/security/cve/CVE-2010-4342.html

http://support.novell.com/security/cve/CVE-2010-4346.html

http://support.novell.com/security/cve/CVE-2010-4526.html

http://support.novell.com/security/cve/CVE-2010-4527.html

http://support.novell.com/security/cve/CVE-2010-4529.html

http://support.novell.com/security/cve/CVE-2010-4650.html

http://support.novell.com/security/cve/CVE-2010-4668.html

http://support.novell.com/security/cve/CVE-2011-0006.html

http://support.novell.com/security/cve/CVE-2011-0710.html

http://support.novell.com/security/cve/CVE-2011-0711.html

http://support.novell.com/security/cve/CVE-2011-0712.html

Plugin Details

Severity: High

ID: 52597

File Name: suse_11_kernel-110228.nasl

Version: Revision: 1.5

Type: local

Agent: unix

Published: 2011/03/09

Updated: 2016/05/02

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 8.3

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-pae, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-pae, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-pae, p-cpe:/a:novell:suse_linux:11:kernel-default, p-cpe:/a:novell:suse_linux:11:kernel-default-base, p-cpe:/a:novell:suse_linux:11:kernel-default-devel, p-cpe:/a:novell:suse_linux:11:kernel-default-extra, p-cpe:/a:novell:suse_linux:11:kernel-default-man, p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel, p-cpe:/a:novell:suse_linux:11:kernel-ec2, p-cpe:/a:novell:suse_linux:11:kernel-ec2-base, p-cpe:/a:novell:suse_linux:11:kernel-pae, p-cpe:/a:novell:suse_linux:11:kernel-pae-base, p-cpe:/a:novell:suse_linux:11:kernel-pae-devel, p-cpe:/a:novell:suse_linux:11:kernel-pae-extra, p-cpe:/a:novell:suse_linux:11:kernel-source, p-cpe:/a:novell:suse_linux:11:kernel-syms, p-cpe:/a:novell:suse_linux:11:kernel-trace, p-cpe:/a:novell:suse_linux:11:kernel-trace-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen, p-cpe:/a:novell:suse_linux:11:kernel-xen-base, p-cpe:/a:novell:suse_linux:11:kernel-xen-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen-extra, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/02/28

Reference Information

CVE: CVE-2010-2943, CVE-2010-3699, CVE-2010-3705, CVE-2010-3858, CVE-2010-3875, CVE-2010-3876, CVE-2010-3877, CVE-2010-4075, CVE-2010-4076, CVE-2010-4077, CVE-2010-4163, CVE-2010-4243, CVE-2010-4342, CVE-2010-4346, CVE-2010-4526, CVE-2010-4527, CVE-2010-4529, CVE-2010-4650, CVE-2010-4668, CVE-2011-0006, CVE-2011-0710, CVE-2011-0711, CVE-2011-0712