SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 3760 / 3762 / 3763)

high Nessus Plugin ID 51614

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.27 and fixes various bugs and security issues.

The following security issues were fixed :

- A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. This could lead to privilege escalation together with other issues.
(CVE-2010-4258)

- A overflow in sendto() and recvfrom() routines was fixed that could be used by local attackers to potentially crash the kernel using some socket families like L2TP.
(CVE-2010-4160)

- A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver.
(CVE-2010-4157)

- The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel did not properly restrict TCP_MAXSEG (aka MSS) values, which allowed local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer. (CVE-2010-4165)

- A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities. (CVE-2010-4164)

- A local attacker could cause memory overruns in the RDS protocol stack, potentially crashing the kernel. So far it is considered not to be exploitable. (CVE-2010-4175)

- Use-after-free vulnerability in mm/mprotect.c in the Linux kernel allwed local users to cause a denial of service via vectors involving an mprotect system call.
(CVE-2010-4169)

- A minor heap overflow in the CAN network module was fixed. Due to nature of the memory allocator it is likely not exploitable. (CVE-2010-3874)

- A memory information leak in berkely packet filter rules allowed local attackers to read uninitialized memory of the kernel stack. (CVE-2010-4158)

- A local denial of service in the blockdevice layer was fixed. (CVE-2010-4162)

- By submitting certain I/O requests with 0 length, a local user could have caused a kernel panic.
(CVE-2010-4163)

- The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel did not initialize a certain block of heap memory, which allowed local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value. (CVE-2010-3861)

- arch/x86/kvm/x86.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device. (CVE-2010-3881)

- A range checking overflow in pktcdvd ioctl was fixed.
(CVE-2010-3437)

- The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. (CVE-2010-4082)

- The ipc subsystem in the Linux kernel did not initialize certain structures, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. (CVE-2010-4073)

- The copy_shmid_to_user function in ipc/shm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the 'old shm interface.'. (CVE-2010-4072)

- The copy_semid_to_user function in ipc/sem.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call. (CVE-2010-4083)

Solution

Apply SAT patch number 3760 / 3762 / 3763 as appropriate.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=595215

https://bugzilla.novell.com/show_bug.cgi?id=602838

https://bugzilla.novell.com/show_bug.cgi?id=615630

https://bugzilla.novell.com/show_bug.cgi?id=628180

https://bugzilla.novell.com/show_bug.cgi?id=636672

https://bugzilla.novell.com/show_bug.cgi?id=637542

https://bugzilla.novell.com/show_bug.cgi?id=638258

https://bugzilla.novell.com/show_bug.cgi?id=639803

https://bugzilla.novell.com/show_bug.cgi?id=640878

https://bugzilla.novell.com/show_bug.cgi?id=641105

https://bugzilla.novell.com/show_bug.cgi?id=641811

https://bugzilla.novell.com/show_bug.cgi?id=642043

https://bugzilla.novell.com/show_bug.cgi?id=642313

https://bugzilla.novell.com/show_bug.cgi?id=642314

https://bugzilla.novell.com/show_bug.cgi?id=642486

https://bugzilla.novell.com/show_bug.cgi?id=643173

https://bugzilla.novell.com/show_bug.cgi?id=643477

https://bugzilla.novell.com/show_bug.cgi?id=645659

https://bugzilla.novell.com/show_bug.cgi?id=646226

https://bugzilla.novell.com/show_bug.cgi?id=646542

https://bugzilla.novell.com/show_bug.cgi?id=646702

https://bugzilla.novell.com/show_bug.cgi?id=646908

https://bugzilla.novell.com/show_bug.cgi?id=647567

https://bugzilla.novell.com/show_bug.cgi?id=648112

https://bugzilla.novell.com/show_bug.cgi?id=648701

https://bugzilla.novell.com/show_bug.cgi?id=649187

https://bugzilla.novell.com/show_bug.cgi?id=649548

https://bugzilla.novell.com/show_bug.cgi?id=650067

https://bugzilla.novell.com/show_bug.cgi?id=650185

https://bugzilla.novell.com/show_bug.cgi?id=650487

https://bugzilla.novell.com/show_bug.cgi?id=650748

https://bugzilla.novell.com/show_bug.cgi?id=651066

https://bugzilla.novell.com/show_bug.cgi?id=651218

https://bugzilla.novell.com/show_bug.cgi?id=651596

https://bugzilla.novell.com/show_bug.cgi?id=652024

https://bugzilla.novell.com/show_bug.cgi?id=652293

https://bugzilla.novell.com/show_bug.cgi?id=652563

https://bugzilla.novell.com/show_bug.cgi?id=652603

https://bugzilla.novell.com/show_bug.cgi?id=652842

https://bugzilla.novell.com/show_bug.cgi?id=652939

https://bugzilla.novell.com/show_bug.cgi?id=652940

https://bugzilla.novell.com/show_bug.cgi?id=652945

https://bugzilla.novell.com/show_bug.cgi?id=653148

https://bugzilla.novell.com/show_bug.cgi?id=653258

https://bugzilla.novell.com/show_bug.cgi?id=653260

https://bugzilla.novell.com/show_bug.cgi?id=653266

https://bugzilla.novell.com/show_bug.cgi?id=653800

https://bugzilla.novell.com/show_bug.cgi?id=653930

https://bugzilla.novell.com/show_bug.cgi?id=654150

https://bugzilla.novell.com/show_bug.cgi?id=654530

https://bugzilla.novell.com/show_bug.cgi?id=654581

https://bugzilla.novell.com/show_bug.cgi?id=654701

https://bugzilla.novell.com/show_bug.cgi?id=654837

https://bugzilla.novell.com/show_bug.cgi?id=654967

https://bugzilla.novell.com/show_bug.cgi?id=655027

https://bugzilla.novell.com/show_bug.cgi?id=655278

https://bugzilla.novell.com/show_bug.cgi?id=656471

https://bugzilla.novell.com/show_bug.cgi?id=657324

https://bugzilla.novell.com/show_bug.cgi?id=657350

https://bugzilla.novell.com/show_bug.cgi?id=657412

https://bugzilla.novell.com/show_bug.cgi?id=657415

https://bugzilla.novell.com/show_bug.cgi?id=657976

https://bugzilla.novell.com/show_bug.cgi?id=658464

https://bugzilla.novell.com/show_bug.cgi?id=658829

https://bugzilla.novell.com/show_bug.cgi?id=659144

http://support.novell.com/security/cve/CVE-2010-3437.html

http://support.novell.com/security/cve/CVE-2010-3861.html

http://support.novell.com/security/cve/CVE-2010-3874.html

http://support.novell.com/security/cve/CVE-2010-3881.html

http://support.novell.com/security/cve/CVE-2010-4072.html

http://support.novell.com/security/cve/CVE-2010-4073.html

http://support.novell.com/security/cve/CVE-2010-4082.html

http://support.novell.com/security/cve/CVE-2010-4083.html

http://support.novell.com/security/cve/CVE-2010-4157.html

http://support.novell.com/security/cve/CVE-2010-4158.html

http://support.novell.com/security/cve/CVE-2010-4160.html

http://support.novell.com/security/cve/CVE-2010-4162.html

http://support.novell.com/security/cve/CVE-2010-4163.html

http://support.novell.com/security/cve/CVE-2010-4164.html

http://support.novell.com/security/cve/CVE-2010-4165.html

http://support.novell.com/security/cve/CVE-2010-4169.html

http://support.novell.com/security/cve/CVE-2010-4175.html

http://support.novell.com/security/cve/CVE-2010-4258.html

Plugin Details

Severity: High

ID: 51614

File Name: suse_11_kernel-110104.nasl

Version: 1.10

Type: local

Agent: unix

Published: 1/21/2011

Updated: 1/19/2021

Supported Sensors: Agentless Assessment, Nessus Agent, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:kernel-xen-devel, p-cpe:/a:novell:suse_linux:11:kernel-syms, p-cpe:/a:novell:suse_linux:11:kernel-default-extra, p-cpe:/a:novell:suse_linux:11:kernel-default, p-cpe:/a:novell:suse_linux:11:kernel-xen-extra, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default, p-cpe:/a:novell:suse_linux:11:kernel-source, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-pae, p-cpe:/a:novell:suse_linux:11:kernel-pae-base, cpe:/o:novell:suse_linux:11, p-cpe:/a:novell:suse_linux:11:kernel-xen, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-pae, p-cpe:/a:novell:suse_linux:11:kernel-trace, p-cpe:/a:novell:suse_linux:11:kernel-pae, p-cpe:/a:novell:suse_linux:11:kernel-default-base, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default, p-cpe:/a:novell:suse_linux:11:kernel-ec2, p-cpe:/a:novell:suse_linux:11:kernel-pae-devel, p-cpe:/a:novell:suse_linux:11:kernel-default-man, p-cpe:/a:novell:suse_linux:11:kernel-ec2-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-devel, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen, p-cpe:/a:novell:suse_linux:11:kernel-default-devel, p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-base, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen, p-cpe:/a:novell:suse_linux:11:kernel-pae-extra, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-pae, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/4/2011

Exploitable With

Core Impact

Reference Information

CVE: CVE-2010-3437, CVE-2010-3861, CVE-2010-3874, CVE-2010-3881, CVE-2010-4072, CVE-2010-4073, CVE-2010-4082, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158, CVE-2010-4160, CVE-2010-4162, CVE-2010-4163, CVE-2010-4164, CVE-2010-4165, CVE-2010-4169, CVE-2010-4175, CVE-2010-4258