Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2038)

High Nessus Plugin ID 68426


The remote Oracle Linux host is missing one or more security updates.


Description of changes:

* CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.

Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device.

In KVM (Kernel-based Virtual Machine) environments using raw format virtio disks backed by a partition or LVM volume, a privileged guest user could bypass intended restrictions and issue read and write requests (and other SCSI commands) on the host, and possibly access the data of other guests that reside on the same underlying block device. (CVE-2011-4127, Important)

* CVE-2011-1493: Insufficient validation in X.25 Rose parsing.

Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges.

* Additional fix for CVE-2011-1576: Denial of service with VLAN packets and GRO.

Oracle's previous fix for CVE-2011-1576 did not completely address the issue.

- [pci] intel-iommu: Default to non-coherent for domains unattached to iommus (Joe Jin)
- [dm] do not forward ioctls from logical volumes to the underlying device (Joe Jin) {CVE-2011-4127}
- [block] fail SCSI passthrough ioctls on partition devices (Joe Jin) {CVE-2011-4127}
- [block] add and use scsi_blk_cmd_ioctl (Joe Jin) {CVE-2011-4127}
- [net] gro: reset vlan_tci on reuse (Dan Carpenter) {CVE-2011-1576}
- [net] rose: Add length checks to CALL_REQUEST parsing (Ben Hutchings) {CVE-2011-1493}
- [net] rose_loopback_timer sets VC number <= ROSE_DEFAULT_MAXVC (Bernard Pidoux F6BVP) {CVE-2011-1493}


Update the affected unbreakable enterprise kernel packages.

See Also

Plugin Details

Severity: High

ID: 68426

File Name: oraclelinux_ELSA-2011-2038.nasl

Version: $Revision: 1.6 $

Type: local

Agent: unix

Published: 2013/07/12

Modified: 2015/12/01

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, p-cpe:/a:oracle:linux:kernel-uek-headers, p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.4.1.el6uek, p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.4.1.el6uekdebug, p-cpe:/a:oracle:linux:ofa-2.6.32-300.4.1.el5uek, p-cpe:/a:oracle:linux:ofa-2.6.32-300.4.1.el5uekdebug, p-cpe:/a:oracle:linux:ofa-2.6.32-300.4.1.el6uek, p-cpe:/a:oracle:linux:ofa-2.6.32-300.4.1.el6uekdebug, cpe:/o:oracle:linux:5, cpe:/o:oracle:linux:6

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2011/12/27

Reference Information

CVE: CVE-2011-1493, CVE-2011-1576, CVE-2011-4127

BID: 46935, 48907, 51176