Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries :

  - Kernel
  - Netscape Portable Runtime (NSPR)
  - Network Security Services (NSS)

a. Update to ESX service console kernel

The ESX service console kernel is updated to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232 to these issues.

b. Update to ESX service console NSPR and NSS

This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0791 and CVE-2013-1620 to these issues.

An integer overflow flaw was found in the i915_gem_do_execbuffer() function in the Intel i915 driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service.
This issue only affected 32-bit systems. (CVE-2012-2384 , Moderate)

A memory leak flaw was found in the way the Linux kernel's memory subsystem handled resource clean up in the mmap() failure path when the MAP_HUGETLB flag was set. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2390 , Moderate)

A race condition was found in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs. (CVE-2012-3552 , Moderate)

A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity). (CVE-2012-2313 , Low)

A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-3430 , Low)

This update fixes the following security issues :

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled duplicate cookies. If a local user queried SCTP     connection information at the same time a remote     attacker has initialized a crafted SCTP connection to     the system, it could trigger a NULL pointer dereference,     causing the system to crash. (CVE-2013-2206, Important)

  - It was found that the fix for CVE-2012-3552 released via     SLSA-2012:1304 introduced an invalid free flaw in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to corrupt     kernel memory via crafted sendmsg() calls, allowing them     to cause a denial of service or, potentially, escalate     their privileges on the system. (CVE-2013-2224,     Important)

  - A flaw was found in the Linux kernel's Performance     Events implementation. On systems with certain Intel     processors, a local, unprivileged user could use this     flaw to cause a denial of service by leveraging the perf     subsystem to write into the reserved bits of the     OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific     registers. (CVE-2013-2146, Moderate)

  - An invalid pointer dereference flaw was found in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to crash     the system or, potentially, escalate their privileges on     the system by using sendmsg() with an IPv6 socket     connected to an IPv4 destination. (CVE-2013-2232,     Moderate)

  - Information leak flaws in the Linux kernel's Bluetooth     implementation could allow a local, unprivileged user to     leak kernel memory to user- space. (CVE-2012-6544, Low)

  - An information leak flaw in the Linux kernel could allow     a privileged, local user to leak kernel memory to     user-space. (CVE-2013-2237, Low)

The system must be rebooted for this update to take effect.

This update fixes the following security issues :

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled duplicate cookies. If a local user queried SCTP     connection information at the same time a remote     attacker has initialized a crafted SCTP connection to     the system, it could trigger a NULL pointer dereference,     causing the system to crash. (CVE-2013-2206, Important)

  - It was found that the fix for CVE-2012-3552 released via     SLSA-2012:1540 introduced an invalid free flaw in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to corrupt     kernel memory via crafted sendmsg() calls, allowing them     to cause a denial of service or, potentially, escalate     their privileges on the system. (CVE-2013-2224,     Important)

  - An invalid pointer dereference flaw was found in the     Linux kernel's TCP/IP protocol suite implementation. A     local, unprivileged user could use this flaw to crash     the system or, potentially, escalate their privileges on     the system by using sendmsg() with an IPv6 socket     connected to an IPv4 destination. (CVE-2013-2232,     Moderate)

  - Information leak flaws in the Linux kernel could allow a     privileged, local user to leak kernel memory to     user-space. (CVE-2013-2164, CVE-2013-2147,     CVE-2013-2234, CVE-2013-2237, Low)

The system must be rebooted for this update to take effect.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-1540 advisory.

    - [net] rds-ping cause kernel panic (Alexander Gordeev) [822755 822756] {CVE-2012-2372}
    - [xen] add guest address range checks to XENMEM_exchange handlers (Igor Mammedov) [878033 878034]     {CVE-2012-5513}
    - [xen] x86/physmap: Prevent incorrect updates of m2p mappings (Igor Mammedov) [870148 870149]     {CVE-2012-4537}
    - [xen] VCPU/timer: Dos vulnerability prev overflow in calculations (Igor Mammedov) [870150 870151]     {CVE-2012-4535}
    - [fs] ext4: race-cond protect for convert_unwritten_extents_endio (Lukas Czerner) [869910 869911]     {CVE-2012-4508}
    - [fs] ext4: serialize fallocate w/ ext4_convert_unwritten_extents (Lukas Czerner) [869910 869911]     {CVE-2012-4508}
    - [fs] ext4: flush the i_completed_io_list during ext4_truncate (Lukas Czerner) [869910 869911]     {CVE-2012-4508}
    - [net] ipv4: add RCU protection to inet->opt (Jiri Pirko) [872113 855302] {CVE-2012-3552}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2012:1540 :

Updated kernel packages that fix multiple security issues, two bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

These packages contain the Linux kernel.

Security fixes :

* A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. (CVE-2012-4508, Important)

* A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-5513, Important)

* A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2012-2372, Moderate)

* A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs. (CVE-2012-3552, Moderate)

* The Xen hypervisor implementation did not properly restrict the period values used to initialize per VCPU periodic timers. A privileged guest user could cause an infinite loop on the physical CPU. If the watchdog were enabled, it would detect said loop and panic the host system. (CVE-2012-4535, Moderate)

* A flaw in the way the Xen hypervisor implementation handled set_p2m_entry() error conditions could allow a privileged, fully-virtualized guest user to crash the hypervisor. (CVE-2012-4537, Moderate)

Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508;
the Xen project for reporting CVE-2012-5513, CVE-2012-4535, and CVE-2012-4537; and Hafid Lin for reporting CVE-2012-3552. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. CVE-2012-2372 was discovered by Li Honggang of Red Hat.

Bug fixes :

* Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected. (BZ#870118)

* The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode. (BZ#877943)

Enhancements :

* This update backports several changes from the latest upstream version of the bnx2x driver. The most important change, the remote-fault link detection feature, allows the driver to periodically scan the physical link layer for remote faults. If the physical link appears to be up and a fault is detected, the driver indicates that the link is down. When the fault is cleared, the driver indicates that the link is up again. (BZ#870120)

* The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function. (BZ#874973)

Users should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-1304 advisory.

    - [net] rds: set correct msg_namelen (Weiping Pan) [822729 822731] {CVE-2012-3430}
    - [mm] hugetlb: fix resv_map leak in error path (Motohiro Kosaki) [824350 824351] {CVE-2012-2390}
    - [netdrv] dl2k: fix unfiltered netdev rio_ioctl access by users (Jacob Tanenbaum) [818824 818825]     {CVE-2012-2313}
    - [drm] i915: fix integer overflow in i915_gem_do_execbuffer() (Jacob Tanenbaum) [824561 824563]     {CVE-2012-2384}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2012-2121     Benjamin Herrenschmidt and Jason Baron discovered issues     with the IOMMU mapping of memory slots used in KVM     device assignment. Local users with the ability to     assign devices could cause a denial of service due to a     memory page leak.

  - CVE-2012-3552     Hafid Lin reported an issue in the IP networking     subsystem. A remote user can cause a denial of service     (system crash) on servers running applications that set     options on sockets which are actively being processed.

  - CVE-2012-4461     Jon Howell reported a denial of service issue in the KVM     subsystem. On systems that do not support the XSAVE     feature, local users with access to the /dev/kvm     interface can cause a system crash.

  - CVE-2012-4508     Dmitry Monakhov and Theodore Ts'o reported a race     condition in the ext4 filesystem. Local users could gain     access to sensitive kernel memory.

  - CVE-2012-6537     Mathias Krause discovered information leak issues in the     Transformation user configuration interface. Local users     with the CAP_NET_ADMIN capability can gain access to     sensitive kernel memory.

  - CVE-2012-6539     Mathias Krause discovered an issue in the networking     subsystem. Local users on 64-bit systems can gain access     to sensitive kernel memory.

  - CVE-2012-6540     Mathias Krause discovered an issue in the Linux virtual     server subsystem. Local users can gain access to     sensitive kernel memory. Note: this issue does not     affect Debian provided kernels, but may affect custom     kernels built from Debian's linux-source-2.6.32 package.

  - CVE-2012-6542     Mathias Krause discovered an issue in the LLC protocol     support code. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6544     Mathias Krause discovered issues in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2012-6545     Mathias Krause discovered issues in the Bluetooth RFCOMM     protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2012-6546     Mathias Krause discovered issues in the ATM networking     support. Local users can gain access to sensitive kernel     memory.

  - CVE-2012-6548     Mathias Krause discovered an issue in the UDF file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2012-6549     Mathias Krause discovered an issue in the isofs file     system support. Local users can obtain access to     sensitive kernel memory.

  - CVE-2013-0349     Anderson Lizardo discovered an issue in the Bluetooth     Human Interface Device Protocol (HIDP) stack. Local     users can obtain access to sensitive kernel memory.

  - CVE-2013-0914     Emese Revfy discovered an issue in the signal     implementation. Local users may be able to bypass the     address space layout randomization (ASLR) facility due     to a leaking of information to child processes.

  - CVE-2013-1767     Greg Thelen reported an issue in the tmpfs virtual     memory filesystem. Local users with sufficient privilege     to mount filesystems can cause a denial of service or     possibly elevated privileges due to a use-after free     defect.

  - CVE-2013-1773     Alan Stern provided a fix for a defect in the     UTF8->UTF16 string conversion facility used by the VFAT     filesystem. A local user could cause a buffer overflow     condition, resulting in a denial of service or     potentially elevated privileges.

  - CVE-2013-1774     Wolfgang Frisch provided a fix for a NULL pointer     dereference defect in the driver for some serial USB     devices from Inside Out Networks. Local users with     permission to access these devices can create a denial     of service (kernel oops) by causing the device to be     removed while it is in use.

  - CVE-2013-1792     Mateusz Guzik of Red Hat EMEA GSS SEG Team discovered a     race condition in the access key retention support in     the kernel. A local user could cause a denial of service     (NULL pointer dereference).

  - CVE-2013-1796     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1798     Andrew Honig of Google reported an issue in the KVM     subsystem. A user in a guest operating system could     cause a denial of service due to a use after-free     defect.

  - CVE-2013-1826     Mathias Krause discovered an issue in the Transformation     (XFRM) user configuration interface of the networking     stack. A user with the CAP_NET_ADMIN capability may be     able to gain elevated privileges.

  - CVE-2013-1860     Oliver Neukum discovered an issue in the USB CDC WCM     Device Management driver. Local users with the ability     to attach devices can cause a denial of service (kernel     crash) or potentially gain elevated privileges.

  - CVE-2013-1928     Kees Cook provided a fix for an information leak in the     VIDEO_SET_SPU_PALETTE ioctl for 32-bit applications     running on a 64-bit kernel. Local users can gain access     to sensitive kernel memory.

  - CVE-2013-1929     Oded Horovitz and Brad Spengler reported an issue in the     device driver for Broadcom Tigon3 based gigabit     Ethernet. Users with the ability to attach untrusted     devices can create an overflow condition, resulting in a     denial of service or elevated privileges.

  - CVE-2013-2015     Theodore Ts'o provided a fix for an issue in the ext4     filesystem. Local users with the ability to mount a     specially crafted filesystem can cause a denial of     service (infinite loop).

  - CVE-2013-2634     Mathias Krause discovered a few issues in the Data     Center Bridging (DCB) netlink interface. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3222     Mathias Krause discovered an issue in the Asynchronous     Transfer Mode (ATM) protocol support. Local users can     gain access to sensitive kernel memory.

  - CVE-2013-3223     Mathias Krause discovered an issue in the Amateur Radio     AX.25 protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3224     Mathias Krause discovered an issue in the Bluetooth     subsystem. Local users can gain access to sensitive     kernel memory.

  - CVE-2013-3225     Mathias Krause discovered an issue in the Bluetooth     RFCOMM protocol support. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3228     Mathias Krause discovered an issue in the IrDA     (infrared) subsystem support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3229     Mathias Krause discovered an issue in the IUCV support     on s390 systems. Local users can gain access to     sensitive kernel memory.

  - CVE-2013-3231     Mathias Krause discovered an issue in the ANSI/IEEE     802.2 LLC type 2 protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3234     Mathias Krause discovered an issue in the Amateur Radio     X.25 PLP (Rose) protocol support. Local users can gain     access to sensitive kernel memory.

  - CVE-2013-3235     Mathias Krause discovered an issue in the Transparent     Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

Security fixes :

  - A race condition in the way asynchronous I/O and     fallocate() interacted when using ext4 could allow a     local, unprivileged user to obtain random data from a     deleted file. (CVE-2012-4508, Important)

  - A flaw in the way the Xen hypervisor implementation     range checked guest provided addresses in the     XENMEM_exchange hypercall could allow a malicious,     para-virtualized guest administrator to crash the     hypervisor or, potentially, escalate their privileges,     allowing them to execute arbitrary code at the     hypervisor level. (CVE-2012-5513, Important)

  - A flaw in the Reliable Datagram Sockets (RDS) protocol     implementation could allow a local, unprivileged user to     cause a denial of service. (CVE-2012-2372, Moderate)

  - A race condition in the way access to inet->opt     ip_options was synchronized in the Linux kernel's TCP/IP     protocol suite implementation. Depending on the network     facing applications running on the system, a remote     attacker could possibly trigger this flaw to cause a     denial of service. A local, unprivileged user could use     this flaw to cause a denial of service regardless of the     applications the system runs. (CVE-2012-3552, Moderate)

  - The Xen hypervisor implementation did not properly     restrict the period values used to initialize per VCPU     periodic timers. A privileged guest user could cause an     infinite loop on the physical CPU. If the watchdog were     enabled, it would detect said loop and panic the host     system. (CVE-2012-4535, Moderate)

  - A flaw in the way the Xen hypervisor implementation     handled set_p2m_entry() error conditions could allow a     privileged, fully-virtualized guest user to crash the     hypervisor. (CVE-2012-4537, Moderate)

Bug fixes :

  - Previously, the interrupt handlers of the qla2xxx driver     could clear pending interrupts right after the IRQ lines     were attached during system start-up. Consequently, the     kernel could miss the interrupt that reported completion     of the link initialization, and the qla2xxx driver then     failed to detect all attached LUNs. With this update,     the qla2xxx driver has been modified to no longer clear     interrupt bits after attaching the IRQ lines. The driver     now correctly detects all attached LUNs as expected.

  - The Ethernet channel bonding driver reported the MII     (Media Independent Interface) status of the bond     interface in 802.3ad mode as being up even though the     MII status of all of the slave devices was down. This     could pose a problem if the MII status of the bond     interface was used to determine if failover should     occur. With this update, the agg_device_up() function     has been added to the bonding driver, which allows the     driver to report the link status of the bond interface     correctly, that is, down when all of its slaves are     down, in the 802.3ad mode.

Enhancements :

  - This update backports several changes from the latest     upstream version of the bnx2x driver. The most important     change, the remote-fault link detection feature, allows     the driver to periodically scan the physical link layer     for remote faults. If the physical link appears to be up     and a fault is detected, the driver indicates that the     link is down. When the fault is cleared, the driver     indicates that the link is up again.

  - The INET socket interface has been modified to send a     warning message when the ip_options structure is     allocated directly by a third-party module using the     kmalloc() function.

The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues, two bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

These packages contain the Linux kernel.

Security fixes :

* A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. (CVE-2012-4508, Important)

* A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-5513, Important)

* A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2012-2372, Moderate)

* A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs. (CVE-2012-3552, Moderate)

* The Xen hypervisor implementation did not properly restrict the period values used to initialize per VCPU periodic timers. A privileged guest user could cause an infinite loop on the physical CPU. If the watchdog were enabled, it would detect said loop and panic the host system. (CVE-2012-4535, Moderate)

* A flaw in the way the Xen hypervisor implementation handled set_p2m_entry() error conditions could allow a privileged, fully-virtualized guest user to crash the hypervisor. (CVE-2012-4537, Moderate)

Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508;
the Xen project for reporting CVE-2012-5513, CVE-2012-4535, and CVE-2012-4537; and Hafid Lin for reporting CVE-2012-3552. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. CVE-2012-2372 was discovered by Li Honggang of Red Hat.

Bug fixes :

* Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected. (BZ#870118)

* The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode. (BZ#877943)

Enhancements :

* This update backports several changes from the latest upstream version of the bnx2x driver. The most important change, the remote-fault link detection feature, allows the driver to periodically scan the physical link layer for remote faults. If the physical link appears to be up and a fault is detected, the driver indicates that the link is down. When the fault is cleared, the driver indicates that the link is up again. (BZ#870120)

* The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function. (BZ#874973)

Users should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
The system must be rebooted for this update to take effect.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1540 advisory.

  - kernel: rds-ping cause kernel panic (CVE-2012-2372)

  - kernel: net: slab corruption due to improper synchronization around inet->opt (CVE-2012-3552)

  - kernel: ext4: AIO vs fallocate stale data exposure (CVE-2012-4508)

  - kernel: xen: VCPU timer overflow leads to PCPU deadlock and host death-by-watchdog (CVE-2012-4535)

  - kernel: xen: Memory mapping failure can crash Xen (CVE-2012-4537)

  - kernel: xen: XENMEM_exchange may overwrite hypervisor memory (CVE-2012-5513)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - An integer overflow flaw was found in the     i915_gem_do_execbuffer() function in the Intel i915     driver in the Linux kernel. A local, unprivileged user     could use this flaw to cause a denial of service. This     issue only affected 32-bit systems. (CVE-2012-2384,     Moderate)

  - A memory leak flaw was found in the way the Linux     kernel's memory subsystem handled resource clean up in     the mmap() failure path when the MAP_HUGETLB flag was     set. A local, unprivileged user could use this flaw to     cause a denial of service. (CVE-2012-2390, Moderate)

  - A race condition was found in the way access to     inet->opt ip_options was synchronized in the Linux     kernel's TCP/IP protocol suite implementation. Depending     on the network facing applications running on the     system, a remote attacker could possibly trigger this     flaw to cause a denial of service. A local, unprivileged     user could use this flaw to cause a denial of service     regardless of the applications the system runs.
    (CVE-2012-3552, Moderate)

  - A flaw was found in the way the Linux kernel's dl2k     driver, used by certain D-Link Gigabit Ethernet     adapters, restricted IOCTLs. A local, unprivileged user     could use this flaw to issue potentially harmful IOCTLs,     which could cause Ethernet adapters using the dl2k     driver to malfunction (for example, losing network     connectivity). (CVE-2012-2313, Low)

  - A flaw was found in the way the msg_namelen variable in     the rds_recvmsg() function of the Linux kernel's     Reliable Datagram Sockets (RDS) protocol implementation     was initialized. A local, unprivileged user could use     this flaw to leak kernel stack memory to user-space.
    (CVE-2012-3430, Low)

This update also fixes several bugs.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted.
The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* An integer overflow flaw was found in the i915_gem_do_execbuffer() function in the Intel i915 driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service.
This issue only affected 32-bit systems. (CVE-2012-2384, Moderate)

* A memory leak flaw was found in the way the Linux kernel's memory subsystem handled resource clean up in the mmap() failure path when the MAP_HUGETLB flag was set. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2390, Moderate)

* A race condition was found in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs. (CVE-2012-3552, Moderate)

* A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity).
(CVE-2012-2313, Low)

* A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
(CVE-2012-3430, Low)

Red Hat would like to thank Hafid Lin for reporting CVE-2012-3552, and Stephan Mueller for reporting CVE-2012-2313. The CVE-2012-3430 issue was discovered by the Red Hat InfiniBand team.

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1304 advisory.

  - kernel: unfiltered netdev rio_ioctl access by users (CVE-2012-2313)

  - kernel: drm/i915: integer overflow in i915_gem_do_execbuffer() (CVE-2012-2384)

  - kernel: huge pages: memory leak on mmap failure (CVE-2012-2390)

  - kernel: recv{from,msg}() on an rds socket can leak kernel memory (CVE-2012-3430)

  - kernel: net: slab corruption due to improper synchronization around inet->opt (CVE-2012-3552)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-1540.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-1304.

ID	Name	Product	Family	Severity
89670	VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0015) (remote check)	Nessus	Misc.	medium
71245	VMSA-2013-0015 : VMware ESX updates to third-party libraries	Nessus	VMware ESX Local Security Checks	medium
69623	Amazon Linux AMI : kernel (ALAS-2012-133)	Nessus	Amazon Linux Local Security Checks	medium
69503	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20130827)	Nessus	Scientific Linux Local Security Checks	medium
69440	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20130820)	Nessus	Scientific Linux Local Security Checks	medium
68663	Oracle Linux 5 : kernel (ELSA-2012-1540)	Nessus	Oracle Linux Local Security Checks	medium
68662	Oracle Linux 5 : kernel (ELSA-2012-1540-1)	Nessus	Oracle Linux Local Security Checks	medium
68630	Oracle Linux 6 : kernel (ELSA-2012-1304)	Nessus	Oracle Linux Local Security Checks	medium
66431	Debian DSA-2668-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
63183	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20121204)	Nessus	Scientific Linux Local Security Checks	medium
63171	CentOS 5 : kernel (CESA-2012:1540)	Nessus	CentOS Local Security Checks	medium
63152	RHEL 5 : kernel (RHSA-2012:1540)	Nessus	Red Hat Local Security Checks	medium
62346	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20120925)	Nessus	Scientific Linux Local Security Checks	medium
62316	CentOS 6 : kernel (CESA-2012:1304)	Nessus	CentOS Local Security Checks	medium
62303	RHEL 6 : kernel (RHSA-2012:1304)	Nessus	Red Hat Local Security Checks	medium
801531	CentOS RHSA-2012-1540 Security Check	Log Correlation Engine	Generic	high
801526	CentOS RHSA-2012-1304 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2012-3552

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

high

high