SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4884 / 4888 / 4889)

high Nessus Plugin ID 55686

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.43 and fixes various bugs and security issues.

The following security issues were fixed :

- The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. (CVE-2011-2496)

- A local unprivileged user able to access a NFS filesystem could use file locking to deadlock parts of an nfs server under some circumstance. (CVE-2011-2491)

- Fixed a race between ksmd and other memory management code, which could result in a NULL ptr dereference and kernel crash. (CVE-2011-2183)

- In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloced, the check was always failing and SSID with over 32 characters were allowed to go through. This required CAP_NET_ADMIN privileges to be exploited.
(CVE-2011-2517)

- A malicious user or buggy application could inject diagnosing byte code and trigger an infinite loop in inet_diag_bc_audit(). (CVE-2011-2213)

- The code for evaluating LDM partitions (in fs/partitions/ldm.c) contained bugs that could crash the kernel for certain corrupted LDM partitions.
(CVE-2011-1017 / CVE-2011-1012 / CVE-2011-2182)

- Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel allowed local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.
(CVE-2011-1593)

- The proc filesystem implementation in the Linux kernel did not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allowed local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls. (CVE-2011-1020)

- When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users. (CVE-2011-1585)

- Kernel information via the TPM devices could by used by local attackers to read kernel memory. (CVE-2011-1160)

- The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions (in fs/partitions/efi.c) contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code.
(CVE-2011-1577)

- In a bluetooth ioctl, struct sco_conninfo has one padding byte in the end. Local variable cinfo of type sco_conninfo was copied to userspace with this uninizialized one byte, leading to an old stack contents leak. (CVE-2011-1078)

- In a bluetooth ioctl, struct ca is copied from userspace. It was not checked whether the 'device' field was NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. (CVE-2011-1079)

- In ebtables rule loading, struct tmp is copied from userspace. It was not checked whether the 'name' field is NULL terminated. This may have lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. (CVE-2011-1080)

- The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel on the x86_64 platform allowed remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet. (CVE-2011-1173)

- net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected '0' character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
(CVE-2011-1170)

- net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected '0' character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
(CVE-2011-1171)

- net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected '0' character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
(CVE-2011-1172)

- Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before allowed local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. (CVE-2011-1746)

- Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call. (CVE-2011-1745)

- The bcm_release function in net/can/bcm.c in the Linux kernel did not properly validate a socket data structure, which allowed local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation. (CVE-2011-1598)

- The raw_release function in net/can/raw.c in the Linux kernel did not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation. (CVE-2011-1748)

Solution

Apply SAT patch number 4884 / 4888 / 4889 as appropriate.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=466279

https://bugzilla.novell.com/show_bug.cgi?id=584493

https://bugzilla.novell.com/show_bug.cgi?id=626119

https://bugzilla.novell.com/show_bug.cgi?id=638985

https://bugzilla.novell.com/show_bug.cgi?id=649000

https://bugzilla.novell.com/show_bug.cgi?id=650545

https://bugzilla.novell.com/show_bug.cgi?id=653850

https://bugzilla.novell.com/show_bug.cgi?id=654501

https://bugzilla.novell.com/show_bug.cgi?id=655973

http://support.novell.com/security/cve/CVE-2011-1598.html

http://support.novell.com/security/cve/CVE-2011-1745.html

http://support.novell.com/security/cve/CVE-2011-1746.html

http://support.novell.com/security/cve/CVE-2011-1748.html

http://support.novell.com/security/cve/CVE-2011-2182.html

http://support.novell.com/security/cve/CVE-2011-2183.html

http://support.novell.com/security/cve/CVE-2011-2213.html

http://support.novell.com/security/cve/CVE-2011-2491.html

http://support.novell.com/security/cve/CVE-2011-2496.html

http://support.novell.com/security/cve/CVE-2011-2517.html

https://bugzilla.novell.com/show_bug.cgi?id=662432

https://bugzilla.novell.com/show_bug.cgi?id=663513

https://bugzilla.novell.com/show_bug.cgi?id=666423

https://bugzilla.novell.com/show_bug.cgi?id=667226

https://bugzilla.novell.com/show_bug.cgi?id=668483

https://bugzilla.novell.com/show_bug.cgi?id=668927

https://bugzilla.novell.com/show_bug.cgi?id=669889

https://bugzilla.novell.com/show_bug.cgi?id=670465

https://bugzilla.novell.com/show_bug.cgi?id=670816

https://bugzilla.novell.com/show_bug.cgi?id=670868

https://bugzilla.novell.com/show_bug.cgi?id=674648

https://bugzilla.novell.com/show_bug.cgi?id=674982

https://bugzilla.novell.com/show_bug.cgi?id=676601

https://bugzilla.novell.com/show_bug.cgi?id=676602

https://bugzilla.novell.com/show_bug.cgi?id=677443

https://bugzilla.novell.com/show_bug.cgi?id=677563

https://bugzilla.novell.com/show_bug.cgi?id=678728

https://bugzilla.novell.com/show_bug.cgi?id=680040

https://bugzilla.novell.com/show_bug.cgi?id=680845

https://bugzilla.novell.com/show_bug.cgi?id=681180

https://bugzilla.novell.com/show_bug.cgi?id=681181

https://bugzilla.novell.com/show_bug.cgi?id=681182

https://bugzilla.novell.com/show_bug.cgi?id=681185

https://bugzilla.novell.com/show_bug.cgi?id=681186

https://bugzilla.novell.com/show_bug.cgi?id=681639

https://bugzilla.novell.com/show_bug.cgi?id=682076

https://bugzilla.novell.com/show_bug.cgi?id=682251

https://bugzilla.novell.com/show_bug.cgi?id=682319

https://bugzilla.novell.com/show_bug.cgi?id=682482

https://bugzilla.novell.com/show_bug.cgi?id=682567

https://bugzilla.novell.com/show_bug.cgi?id=683107

https://bugzilla.novell.com/show_bug.cgi?id=683282

https://bugzilla.novell.com/show_bug.cgi?id=684297

https://bugzilla.novell.com/show_bug.cgi?id=684472

https://bugzilla.novell.com/show_bug.cgi?id=684852

https://bugzilla.novell.com/show_bug.cgi?id=684927

https://bugzilla.novell.com/show_bug.cgi?id=685226

https://bugzilla.novell.com/show_bug.cgi?id=685276

https://bugzilla.novell.com/show_bug.cgi?id=686325

https://bugzilla.novell.com/show_bug.cgi?id=686404

https://bugzilla.novell.com/show_bug.cgi?id=686412

https://bugzilla.novell.com/show_bug.cgi?id=686921

https://bugzilla.novell.com/show_bug.cgi?id=686980

https://bugzilla.novell.com/show_bug.cgi?id=687113

https://bugzilla.novell.com/show_bug.cgi?id=687478

https://bugzilla.novell.com/show_bug.cgi?id=687759

https://bugzilla.novell.com/show_bug.cgi?id=687760

https://bugzilla.novell.com/show_bug.cgi?id=687789

https://bugzilla.novell.com/show_bug.cgi?id=688326

https://bugzilla.novell.com/show_bug.cgi?id=688432

https://bugzilla.novell.com/show_bug.cgi?id=688685

https://bugzilla.novell.com/show_bug.cgi?id=689041

https://bugzilla.novell.com/show_bug.cgi?id=689290

https://bugzilla.novell.com/show_bug.cgi?id=689596

https://bugzilla.novell.com/show_bug.cgi?id=689746

https://bugzilla.novell.com/show_bug.cgi?id=689797

https://bugzilla.novell.com/show_bug.cgi?id=690683

https://bugzilla.novell.com/show_bug.cgi?id=691216

https://bugzilla.novell.com/show_bug.cgi?id=691269

https://bugzilla.novell.com/show_bug.cgi?id=691408

https://bugzilla.novell.com/show_bug.cgi?id=691536

https://bugzilla.novell.com/show_bug.cgi?id=691538

https://bugzilla.novell.com/show_bug.cgi?id=691632

https://bugzilla.novell.com/show_bug.cgi?id=691633

https://bugzilla.novell.com/show_bug.cgi?id=691693

https://bugzilla.novell.com/show_bug.cgi?id=691829

https://bugzilla.novell.com/show_bug.cgi?id=692343

https://bugzilla.novell.com/show_bug.cgi?id=692454

https://bugzilla.novell.com/show_bug.cgi?id=692459

https://bugzilla.novell.com/show_bug.cgi?id=692460

https://bugzilla.novell.com/show_bug.cgi?id=692502

https://bugzilla.novell.com/show_bug.cgi?id=693013

https://bugzilla.novell.com/show_bug.cgi?id=693149

https://bugzilla.novell.com/show_bug.cgi?id=693374

https://bugzilla.novell.com/show_bug.cgi?id=693382

https://bugzilla.novell.com/show_bug.cgi?id=693636

https://bugzilla.novell.com/show_bug.cgi?id=696107

https://bugzilla.novell.com/show_bug.cgi?id=696586

https://bugzilla.novell.com/show_bug.cgi?id=697181

https://bugzilla.novell.com/show_bug.cgi?id=697901

https://bugzilla.novell.com/show_bug.cgi?id=698221

https://bugzilla.novell.com/show_bug.cgi?id=698247

https://bugzilla.novell.com/show_bug.cgi?id=698604

https://bugzilla.novell.com/show_bug.cgi?id=699946

https://bugzilla.novell.com/show_bug.cgi?id=700401

https://bugzilla.novell.com/show_bug.cgi?id=700879

https://bugzilla.novell.com/show_bug.cgi?id=701170

https://bugzilla.novell.com/show_bug.cgi?id=701622

https://bugzilla.novell.com/show_bug.cgi?id=701977

https://bugzilla.novell.com/show_bug.cgi?id=702013

https://bugzilla.novell.com/show_bug.cgi?id=702285

https://bugzilla.novell.com/show_bug.cgi?id=703013

https://bugzilla.novell.com/show_bug.cgi?id=703410

https://bugzilla.novell.com/show_bug.cgi?id=703490

https://bugzilla.novell.com/show_bug.cgi?id=703786

http://support.novell.com/security/cve/CVE-2011-1012.html

http://support.novell.com/security/cve/CVE-2011-1017.html

http://support.novell.com/security/cve/CVE-2011-1020.html

http://support.novell.com/security/cve/CVE-2011-1078.html

http://support.novell.com/security/cve/CVE-2011-1079.html

http://support.novell.com/security/cve/CVE-2011-1080.html

http://support.novell.com/security/cve/CVE-2011-1160.html

http://support.novell.com/security/cve/CVE-2011-1170.html

http://support.novell.com/security/cve/CVE-2011-1171.html

http://support.novell.com/security/cve/CVE-2011-1172.html

http://support.novell.com/security/cve/CVE-2011-1173.html

http://support.novell.com/security/cve/CVE-2011-1577.html

http://support.novell.com/security/cve/CVE-2011-1585.html

http://support.novell.com/security/cve/CVE-2011-1593.html

Plugin Details

Severity: High

ID: 55686

File Name: suse_11_kernel-110718.nasl

Version: 1.7

Type: local

Agent: unix

Published: 7/26/2011

Updated: 1/19/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:kernel-xen-devel, p-cpe:/a:novell:suse_linux:11:kernel-syms, p-cpe:/a:novell:suse_linux:11:kernel-default-extra, p-cpe:/a:novell:suse_linux:11:kernel-default, p-cpe:/a:novell:suse_linux:11:kernel-xen-extra, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default, p-cpe:/a:novell:suse_linux:11:kernel-source, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-pae, p-cpe:/a:novell:suse_linux:11:kernel-pae-base, cpe:/o:novell:suse_linux:11, p-cpe:/a:novell:suse_linux:11:kernel-xen, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-pae, p-cpe:/a:novell:suse_linux:11:kernel-trace, p-cpe:/a:novell:suse_linux:11:kernel-pae, p-cpe:/a:novell:suse_linux:11:kernel-default-base, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default, p-cpe:/a:novell:suse_linux:11:kernel-ec2, p-cpe:/a:novell:suse_linux:11:kernel-pae-devel, p-cpe:/a:novell:suse_linux:11:kernel-default-man, p-cpe:/a:novell:suse_linux:11:kernel-ec2-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-devel, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen, p-cpe:/a:novell:suse_linux:11:kernel-default-devel, p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-base, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen, p-cpe:/a:novell:suse_linux:11:kernel-pae-extra, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-pae, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 7/18/2011

Reference Information

CVE: CVE-2011-1012, CVE-2011-1017, CVE-2011-1020, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1160, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1173, CVE-2011-1577, CVE-2011-1585, CVE-2011-1593, CVE-2011-1598, CVE-2011-1745, CVE-2011-1746, CVE-2011-1748, CVE-2011-2182, CVE-2011-2183, CVE-2011-2213, CVE-2011-2491, CVE-2011-2496, CVE-2011-2517