The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - [x86_64] kernel vmsplice_to_pipe flaw (Alexander Viro)     [432252] (CVE-2008-0600)

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2008-0129 advisory.

    [2.6.18-53.1.13.0.1.el5]

     - [NET] Add entropy support to e1000 and bnx2 (John Sobecki) [orabug      6045759]
     - [NET] Fix msi issue with kexec/kdump (Michael Chan) [orabug 6219364]
     - [MM] Fix alloc_pages_node() static `nid\' race made kernel crash (Joe      Jin) [orabug 6187457]
     - [splice] Fix bad unlock_page() in error case  (Jens Axboe) [orabug      6263574]
     - [dio] fix error-path crashes (Linus Torvalds) [orabug 6242289]
     - [MM] Fix leak in hugepages, regression for shared pagetables patch      (Adam Litke) [orabug 6732368]

     [2.6.18-53.1.13]
     - revert to 2.6.18-53.1.6.el5
     - [x86_64] kernel vmsplice_to_pipe flaw (Alexander Viro ) [432252]      {CVE-2008-0600}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600)

There is a public available exploit for this issue.

The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third-party information. (CVE-2007-5500)

The tcp_sacktag_write_queue function in the Linux kernel 2.6.21 through 2.6.23.7 allowed remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference (CVE-2007-5501).

The do_corefump function in fs/exec.c in the Linux kernel prior to 2.6.24-rc3 did not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which could possibly allow local users to obtain sensitive information (CVE-2007-6206).

VFS in the Linux kernel before 2.6.22.16 performed tests of access mode by using the flag variable instead of the acc_mode variable, which could possibly allow local users to bypass intended permissions and remove directories (CVE-2008-0001).

The Linux kernel prior to 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allowed local users to access kernel memory via an out-of-range offset (CVE-2008-0007).

A flaw in the vmsplice system call did not properly verify address arguments passed by user-space processes, which allowed local attackers to overwrite arbitrary kernel memory and gain root privileges (CVE-2008-0600).

Mandriva urges all users to upgrade to these new kernels immediately as the CVE-2008-0600 flaw is being actively exploited. This issue only affects 2.6.17 and newer Linux kernels, so neither Corporate 3.0 nor Corporate 4.0 are affected.

Additionally, this kernel updates the version from 2.6.22.12 to 2.6.22.18 and fixes numerous other bugs, including :

  - fix freeze when ejecting a cm40x0 PCMCIA card

    - fix crash on unloading netrom

    - fixes alsa-related sound issues on Dell XPS M1210 and       M1330 models

    - the HZ value was increased on the laptop kernel to       increase interactivity and reduce latency

  - netfilter ipset, psd, and ifwlog support was re-enabled

    - unionfs was reverted to a working 1.4 branch that is       less buggy

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

A flaw in the vmsplice system call did not properly verify address arguments passed by user-space processes, which allowed local attackers to overwrite arbitrary kernel memory and gain root privileges.

Mandriva urges all users to upgrade to these new kernels immediately as this flaw is being actively exploited. This issue only affects 2.6.17 and newer Linux kernels, so neither Corporate 3.0 nor Corporate 4.0 are affected.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

This kernel update fixes the following security problems:
CVE-2008-2136: A problem in SIT IPv6 tunnel handling could be used by remote attackers to immediately crash the machine.

CVE-2008-1615: On x86_64 a denial of service attack could be used by local attackers to immediately panic / crash the machine.

CVE-2008-2148: The permission checking in sys_utimensat was incorrect and local attackers could change the filetimes of files they do not own to the current time.

CVE-2008-1669: Fixed a SMP ordering problem in fcntl_setlk could potentially allow local attackers to execute code by timing file locking.

CVE-2008-1375: Fixed a dnotify race condition, which could be used by local attackers to potentially execute code.

CVE-2007-6282: A remote attacker could crash the IPSec/IPv6 stack by sending a bad ESP packet. This requires the host to be able to receive such packets (default filtered by the firewall).

CVE-2008-1367: Clear the 'direction' flag before calling signal handlers. For specific not yet identified programs under specific timing conditions this could potentially have caused memory corruption or code execution.

And the following bugs (numbers are https://bugzilla.novell.com/ references) :

  - patches.fixes/input-add-amilo-pro-v-to-nomux.patch:
    Update the patch to include also 2030 model to nomux     list (bnc#389169).

  - patches.apparmor/fix-net.diff: AppArmor: fix Oops in     apparmor_socket_getpeersec_dgram() (bnc#378608).

  - patches.fixes/input-alps-update.patch: Input: fix the     AlpsPS2 driver (bnc#357881).

- patches.arch/cpufreq_fix_acpi_driver_on_BIOS_changes.patch: CPUFREQ:
Check against freq changes from the BIOS (334378).

- patches.fixes/ieee1394-limit-early-node-speed-to-host-interf ace-speed: ieee1394: limit early node speed to host interface speed (381304).

  - patches.fixes/forcedeth_realtec_phy_fix: Fix a     regression to the GA kernel for some forcedeth cards     (bnc#379478)

  - pci-revert-SMBus-unhide-on-nx6110.patch: Do not unhide     the SMBus on the HP Compaq nx6110, it's unsafe.

  - patches.drivers/e1000-disable-l1aspm.patch: Disable L1     ASPM power savings for 82573 mobile variants, it's     broken (bnc#254713, LTC34077).

  - patches.drivers/libata-improve-hpa-error-handling:
    libata: improve HPA error handling (365534).

  - rpm/kernel-binary.spec.in: Added Conflicts:
    libc.so.6()(64bit) to i386 arch (364433).

- patches.drivers/libata-disallow-sysfs-read-access-to-force-p aram:
libata: don't allow sysfs read access to force param (362599).

  - patches.suse/bonding-workqueue: Update to fix a hang     when closing a bonding device (342994).

  - patches.fixes/mptspi-dv-renegotiate-oops: mptlinux     crashes on kernel 2.6.22 (bnc#271749).

- patches.drivers/usb-update-sierra-and-option-device-ids-from

  -2.6.25-rc3.patch: USB: update sierra and option device   ids from 2.6.25-rc3 (343167).

  - patches.arch/x86-nvidia-timer-quirk: Disable again     (#302327) The PCI ID lists are not complete enough and     let's have the same crap as mainline for this for now.

  - patches.fixes/input-add-lenovo-3000-n100-to-nomux.patch:
    Input: add Lenovo 3000 N100 to nomux blacklist     (bnc#284013).

  - patches.suse/bonding-bh-locking: Add missing chunks. The     SLES10 SP1 version of the patch was updated in May 2007     but the openSuse 10.3 version was forgotten (260069).

- patches.fixes/knfsd-Allow-NFSv2-3-WRITE-calls-to-succeed-whe n-krb.patch: knfsd: Allow NFSv2/3 WRITE calls to succeed when krb5i etc is used. (348737).

- patches.fixes/md-fix-an-occasional-deadlock-in-raid5.patch: md: fix an occasional deadlock in raid5 (357088).

  - patches.drivers/libata-quirk_amd_ide_mode: PCI: modify     SATA IDE mode quirk (345124).

  - Fix section mismatch build failure w/ gcc 4.1.2. bug     #361086.

  - patches.drivers/libata-implement-force-parameter:
    libata: implement libata.force module parameter     (337610).

Lots of XEN Fixes (not detailed listed). Lots of RT Fixes (not detailed listed).

  - Update to 2.6.22.18

  - removes upstreamed patch :

  - patches.fixes/vmsplice-pipe-exploit (CVE-2008-0600)

Wojciech Purczynski discovered that the vmsplice system call did not properly perform verification of user-memory pointers. A local attacker could exploit this to overwrite arbitrary kernel memory and gain root privileges. (CVE-2008-0600).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This kernel update fixes the following security problems :

  - CVE-2008-0600: A local privilege escalation was found in     the vmsplice_pipe system call, which could be used by     local attackers to gain root access.

  - CVE-2007-6151: The isdn_ioctl function in isdn_common.c     allowed local users to cause a denial of service via a     crafted ioctl struct in which iocts is not null     terminated, which triggers a buffer overflow.

This kernel update fixes the following security problems :

  - CVE-2008-0600: A local privilege escalation was found in     the vmsplice_pipe system call, which could be used by     local attackers to gain root access.

  - CVE-2007-6206: Core dumps from root might be accessible     to the wrong owner.

And the following bugs (numbers are https://bugzilla.novell.com/ references) :

  - Update to minor kernel version 2.6.22.17

  - networking bugfixes

  - contains the following patches which were removed :

  - patches.arch/acpica-psd.patch

  - patches.fixes/invalid-semicolon

  - patches.fixes/nopage-range-fix.patch

  - patches.arch/acpi_thermal_blacklist_add_r50p.patch:
    Avoid critical temp shutdowns on specific Thinkpad R50p     (https://bugzilla.novell.com/show_bug.cgi?id=333043).

  - Update config files. CONFIG_USB_DEBUG in debug kernel

  - patches.rt/megasas_IRQF_NODELAY.patch: Convert megaraid     sas IRQ to non-threaded IRQ (337489).

  - patches.drivers/libata-implement-force-parameter added     to series.conf.

  - patches.xen/xen3-fixup-arch-i386: xen3 i386 build fixes.

  - patches.xen/xenfb-module-param: Re: Patching Xen virtual     framebuffer.

Updated kernel packages that fix a security issue are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600)

Red Hat is aware that a public exploit for this issue is available.
This issue did not affect the Linux kernels distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

CVE-2008-0600 fix (bug #432517)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to Linux kernel 2.6.23.15:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.15 Fix vmsplice local root vulnerability: CVE-2008-0009: Fixed by update to 2.6.23.15. CVE-2008-0010: Fixed by update to 2.6.23.15. CVE-2008-0600:
Extra fix from upstream applied. Fix memory leak in netlabel code.
Work around broken Seagate LBA48 disks. (#429364) Fix futex oops on uniprocessor machine. (#429412) Add support for new Macbook touchpads.
(#426574) Fix the initio driver broken in 2.6.23. (#390531) Fix segfaults from using vdso=2. (#427641) FireWire updates, fixing multiple problems. (#429598) ACPI: fix multiple problems with brightness controls (#427518) Fix Megahertz PCMCIA Ethernet adapter (#233255) Fix oops in netfilter. (#430663) ACPI: fix early init of EC (#426480) ALSA: fix audio on some systems with STAC codec (#431360) Atheros L2 fast Ethernet driver (atl2) for ASUS Eeepc. ASUS Eeepc ACPI hotkey driver. Wireless driver updates from upstream.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to Linux kernel 2.6.23.15:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.15 Fix vmsplice local root vulnerability: CVE-2008-0009: Fixed by update to 2.6.23.15. CVE-2008-0010: Fixed by update to 2.6.23.15. CVE-2008-0600:
Extra fix from upstream applied. Fix memory leak in netlabel code (#352281) Autoload the Dell dcdbas driver like in F8 (#326041) Work around broken Seagate LBA48 disks. (F8#429364) Fix futex oops on uniprocessor machine. (F8#429412) Add support for new Macbook touchpads. (F8#426574) Fix the initio driver broken in 2.6.23.
(F8#390531) Fix segfaults from using vdso=2. (F8#427641) FireWire updates, fixing multiple problems. ACPI: fix multiple problems with brightness controls (F8#427518) Wireless driver updates from upstream.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600 ).

In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163 ).

New kernel packages are available for Slackware 12.0, and -current to fix a local root exploit.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2008-0129.

ID	Name	Product	Family	Severity
79445	OracleVM 2.1 : kernel (OVMSA-2008-2002)	Nessus	OracleVM Local Security Checks	high
67651	Oracle Linux 5 : Important: / kernel (ELSA-2008-0129)	Nessus	Oracle Linux Local Security Checks	high
60358	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
36924	Mandriva Linux Security Advisory : kernel (MDVSA-2008:044)	Nessus	Mandriva Local Security Checks	high
36383	Mandriva Linux Security Advisory : kernel (MDVSA-2008:043)	Nessus	Mandriva Local Security Checks	high
33253	openSUSE 10 Security Update : kernel (kernel-5339)	Nessus	SuSE Local Security Checks	high
31092	Ubuntu 6.10 / 7.04 / 7.10 : linux-source-2.6.17/20/22 vulnerability (USN-577-1)	Nessus	Ubuntu Local Security Checks	high
31090	openSUSE 10 Security Update : kernel (kernel-4987)	Nessus	SuSE Local Security Checks	high
31089	openSUSE 10 Security Update : kernel (kernel-4986)	Nessus	SuSE Local Security Checks	high
31086	RHEL 5 : kernel (RHSA-2008:0129)	Nessus	Red Hat Local Security Checks	high
31078	Fedora 7 : kernel-xen-2.6-2.6.21-7.fc7 (2008-1629)	Nessus	Fedora Local Security Checks	high
31059	Fedora 8 : kernel-xen-2.6-2.6.21-2957.fc8 (2008-1433)	Nessus	Fedora Local Security Checks	high
31054	CentOS 5 : kernel (CESA-2008:0129)	Nessus	CentOS Local Security Checks	high
31030	Fedora 8 : kernel-2.6.23.15-137.fc8 (2008-1423)	Nessus	Fedora Local Security Checks	high
31029	Fedora 7 : kernel-2.6.23.15-80.fc7 (2008-1422)	Nessus	Fedora Local Security Checks	high
31028	Debian DSA-1494-2 : linux-2.6 - missing access checks	Nessus	Debian Local Security Checks	high
31027	Slackware 12.0 / current : kernel exploit fix (SSA:2008-042-01)	Nessus	Slackware Local Security Checks	high
801446	CentOS RHSA-2008-0129 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2008-0600

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high