Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0038     'Solar Designer' discovered that arithmetic computations     in netfilter's do_replace() function can lead to a     buffer overflow and the execution of arbitrary code.
    However, the operation requires CAP_NET_ADMIN     privileges, which is only an issue in virtualization     systems or fine grained access control systems.

  - CVE-2006-0039     'Solar Designer' discovered a race condition in     netfilter's do_add_counters() function, which allows     information disclosure of kernel memory by exploiting a     race condition. Like CVE-2006-0038, it requires     CAP_NET_ADMIN privileges.

  - CVE-2006-0741     Intel EM64T systems were discovered to be susceptible to     a local DoS due to an endless recursive fault related to     a bad ELF entry address.

  - CVE-2006-0742     Incorrectly declared die_if_kernel() function as 'does     never return' which could be exploited by a local     attacker resulting in a kernel crash.

  - CVE-2006-1056     AMD64 machines (and other 7th and 8th generation     AuthenticAMD processors) were found to be vulnerable to     sensitive information leakage, due to how they handle     saving and restoring the FOP, FIP, and FDP x87 registers     in FXSAVE/FXRSTOR when an exception is pending. This     allows a process to determine portions of the state of     floating point instructions of other processes.

  - CVE-2006-1242     Marco Ivaldi discovered that there was an unintended     information disclosure allowing remote attackers to     bypass protections against Idle Scans (nmap -sI) by     abusing the ID field of IP packets and bypassing the     zero IP ID in DF packet countermeasure. This was a     result of the ip_push_pending_frames function improperly     incremented the IP ID field when sending a RST after     receiving unsolicited TCP SYN-ACK packets.

  - CVE-2006-1343     Pavel Kankovsky reported the existence of a potential     information leak resulting from the failure to     initialize sin.sin_zero in the IPv4 socket code.

  - CVE-2006-1368     Shaun Tancheff discovered a buffer overflow (boundary     condition error) in the USB Gadget RNDIS implementation     allowing remote attackers to cause a DoS. While creating     a reply message, the driver allocated memory for the     reply data, but not for the reply structure. The kernel     fails to properly bounds-check user-supplied data before     copying it to an insufficiently sized memory buffer.
    Attackers could crash the system, or possibly execute     arbitrary machine code.

  - CVE-2006-1524     Hugh Dickins discovered an issue in the madvise_remove()     function wherein file and mmap restrictions are not     followed, allowing local users to bypass IPC permissions     and replace portions of readonly tmpfs files with     zeroes.

  - CVE-2006-1525     Alexandra Kossovsky reported a NULL pointer dereference     condition in ip_route_input() that can be triggered by a     local user by requesting a route for a multicast IP     address, resulting in a denial of service (panic).

  - CVE-2006-1857     Vlad Yasevich reported a data validation issue in the     SCTP subsystem that may allow a remote user to overflow     a buffer using a badly formatted HB-ACK chunk, resulting     in a denial of service.

  - CVE-2006-1858     Vlad Yasevich reported a bug in the bounds checking code     in the SCTP subsystem that may allow a remote attacker     to trigger a denial of service attack when rounded     parameter lengths are used to calculate parameter     lengths instead of the actual values.

  - CVE-2006-1864     Mark Mosely discovered that chroots residing on an SMB     share can be escaped with specially crafted 'cd'     sequences.

  - CVE-2006-2271     The 'Mu security team' discovered that carefully crafted     ECNE chunks can cause a kernel crash by accessing     incorrect state stable entries in the SCTP networking     subsystem, which allows denial of service.

  - CVE-2006-2272     The 'Mu security team' discovered that fragmented SCTP     control chunks can trigger kernel panics, which allows     for denial of service attacks.

  - CVE-2006-2274     It was discovered that SCTP packets with two initial     bundled data packets can lead to infinite recursion,     which allows for denial of service attacks.

A flaw was found in the module reference counting for loadable protocol modules of netfilter. By performing particular socket operations, a local attacker could exploit this to crash the kernel.
This flaw only affects Ubuntu 5.10. (CVE-2005-3359)

David Howells noticed a race condition in the add_key(), request_key() and keyctl() functions. By modifying the length of string arguments after the kernel determined their length, but before the kernel copied them into kernel memory, a local attacker could either crash the kernel or read random parts of kernel memory (which could potentially contain sensitive data). (CVE-2006-0457)

An information disclosure vulnerability was discovered in the ftruncate() function for the XFS file system. Under certain conditions, this function could expose random unallocated blocks. A local user could potentially exploit this to recover sensitive data from previously deleted files. (CVE-2006-0554)

A local Denial of Service vulnerability was found in the NFS client module. By opening a file on an NFS share with O_DIRECT and performing some special operations on it, a local attacker could trigger a kernel crash. (CVE-2006-0555)

The ELF binary loader did not sufficiently verify some addresses in the ELF headers. By attempting to execute a specially crafted program, a local attacker could exploit this to trigger a recursive loop of kernel errors, which finally ended in a kernel crash. This only affects the amd64 architecture on Intel processors (EMT64).
(CVE-2006-0741)

The die_if_kernel() function was incorrectly declared as 'does never return' on the ia64 platform. A local attacker could exploit this to crash the kernel. Please note that ia64 is not an officially supported platform. (CVE-2006-0742)

Oleg Nesterov discovered a race condition in the signal handling. On multiprocessor (SMP) machines, a local attacker could exploit this to create many unkillable processes, which could eventually lead to a Denial of Service.

A memory leak was discovered in the handling of files which were opened with the O_DIRECT flag. By repeatedly opening files in a special way, a local attacker could eventually drain all available kernel memory and render the machine unusable. This flaw only affects Ubuntu 4.10.
(http://linux.bkbits.net:8080/linux-2.6/cset%404182a613oVsK0-8eCWpyYFr Uf8rhLA).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the eighth regular update.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

This is the eighth regular kernel update to Red Hat Enterprise Linux 3.

New features introduced by this update include :

  - addition of the adp94xx and dcdbas device drivers -     diskdump support on megaraid_sas, qlogic, and swap     partitions - support for new hardware via driver and     SCSI white-list updates

There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3.

There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors.

The following device drivers have been added or upgraded to new versions :

adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH

The following security bugs were fixed in this update :

  - a flaw in the USB devio handling of device removal that     allowed a local user to cause a denial of service     (crash) (CVE-2005-3055, moderate)

  - a flaw in the exec() handling of multi-threaded tasks     using ptrace() that allowed a local user to cause a     denial of service (hang of a user process)     (CVE-2005-3107, low)

  - a difference in 'sysretq' operation of EM64T (as opposed     to Opteron) processors that allowed a local user to     cause a denial of service (crash) upon return from     certain system calls (CVE-2006-0741 and CVE-2006-0744,     important)

  - a flaw in unaligned accesses handling on Intel Itanium     processors that allowed a local user to cause a denial     of service (crash) (CVE-2006-0742, important)

  - an info leak on AMD-based x86 and x86_64 systems that     allowed a local user to retrieve the floating point     exception state of a process run by a different user     (CVE-2006-1056, important)

  - a flaw in IPv4 packet output handling that allowed a     remote user to bypass the zero IP ID countermeasure on     systems with a disabled firewall (CVE-2006-1242, low)

  - a minor info leak in socket option handling in the     network code (CVE-2006-1343, low)

  - a flaw in IPv4 netfilter handling for the unlikely use     of SNMP NAT processing that allowed a remote user to     cause a denial of service (crash) or potential memory     corruption (CVE-2006-2444, moderate)

Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed.

All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

sysctl.c in the Linux kernel prior to 2.6.14.1 allows local users to cause a Denial of Service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table (CVE-2005-2709).

Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). Note that this was previously partially corrected in MDKSA-2005:235.

Prior to 2.6.14, the kernel's atm module allows local users to cause a DoS (panic) via certain socket calls that produce inconsistent reference counts for loadable protocol modules (CVE-2005-3359).

A race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in the 2.6.x kernel allows local users to cause a DoS (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory (CVE-2006-0457).

Prior to 2.6.15.5, the kernel allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data (CVE-2006-0554).

Prior to 2.6.15.5, the kernel allows local users to cause a DoS (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (CVE-2006-0555).

Prior to an including kernel 2.6.16, sys_mbind in mempolicy.c does not sanity check the maxnod variable before making certain computations, which has an unknown impact and attack vectors (CVE-2006-0557).

Prior to 2.6.15.5, the kernel allows local users to cause a DoS ('endless recursive fault') via unknown attack vectors related to a 'bad elf entry address' on Intel processors (CVE-2006-0741).

Prior to 2.6.15.6, the die_if_kernel function in the kernel can allow local users to cause a DoS by causing user faults on Itanium systems (CVE-2006-00742).

A race in the signal-handling code which allows a process to become unkillable when the race is triggered was also fixed.

In addition to these security fixes, other fixes have been included such as :

  - add ich8 support

    - libata locking rewrite

    - libata clear ATA_QCFLAG_ACTIVE flag before calling the       completion callback

  - support the Acer Aspire 5xxx/3xxx series in the acerhk     module

    - USB storage: remove info sysfs file as it violates the       sysfs one value per file rule

  - fix OOPS in sysfs_hash_and_remove_file()

    - pl2303 USB driver fixes; makes pl2303HX chip work       correctly

    - fix OOPS in IPMI driver which is probably caused when       trying to use ACPI functions when ACPI was not       properly initialized

  - fix de_thread() racy BUG_ON()

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Please note that users using the LSI Logic 53c1030 dual-channel ultra 320 SCSI card will need to re-create their initrd images manually prior to rebooting in order to fix a bug that prevents booting. A future update will correct this problem. To do this, execute :

# rm /boot/initrd-2.6.12-18mdk.img # mkinitrd /boot/initrd-2.6.12-18mdk.img 2.6.12-18mdk --with-module=mptspi

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-3359     Franz Filz discovered that some socket calls permit     causing inconsistent reference counts on loadable     modules, which allows local users to cause a denial of     service.

  - CVE-2006-0038     'Solar Designer' discovered that arithmetic computations     in netfilter's do_replace() function can lead to a     buffer overflow and the execution of arbitrary code.
    However, the operation requires CAP_NET_ADMIN     privileges, which is only an issue in virtualization     systems or fine grained access control systems.

  - CVE-2006-0039     'Solar Designer' discovered a race condition in     netfilter's do_add_counters() function, which allows     information disclosure of kernel memory by exploiting a     race condition. Likewise, it requires CAP_NET_ADMIN     privileges. 

  - CVE-2006-0456     David Howells discovered that the s390 assembly version     of the strnlen_user() function incorrectly returns some     string size values.

  - CVE-2006-0554     It was discovered that the ftruncate() function of XFS     can expose unallocated blocks, which allows information     disclosure of previously deleted files.

  - CVE-2006-0555     It was discovered that some NFS file operations on     handles mounted with O_DIRECT can force the kernel into     a crash.

  - CVE-2006-0557     It was discovered that the code to configure memory     policies allows tricking the kernel into a crash, thus     allowing denial of service.

  - CVE-2006-0558     It was discovered by Cliff Wickman that perfmon for the     IA64 architecture allows users to trigger a BUG()     assert, which allows denial of service.

  - CVE-2006-0741     Intel EM64T systems were discovered to be susceptible to     a local DoS due to an endless recursive fault related to     a bad ELF entry address.

  - CVE-2006-0742     Alan and Gareth discovered that the ia64 platform had an     incorrectly declared die_if_kernel() function as 'does     never return' which could be exploited by a local     attacker resulting in a kernel crash.

  - CVE-2006-0744     The Linux kernel did not properly handle uncanonical     return addresses on Intel EM64T CPUs, reporting     exceptions in the SYSRET instead of the next     instruction, causing the kernel exception handler to run     on the user stack with the wrong GS. This may result in     a DoS due to a local user changing the frames.

  - CVE-2006-1056     AMD64 machines (and other 7th and 8th generation     AuthenticAMD processors) were found to be vulnerable to     sensitive information leakage, due to how they handle     saving and restoring the FOP, FIP, and FDP x87 registers     in FXSAVE/FXRSTOR when an exception is pending. This     allows a process to determine portions of the state of     floating point instructions of other processes.

  - CVE-2006-1242     Marco Ivaldi discovered that there was an unintended     information disclosure allowing remote attackers to     bypass protections against Idle Scans (nmap -sI) by     abusing the ID field of IP packets and bypassing the     zero IP ID in DF packet countermeasure. This was a     result of the ip_push_pending_frames function improperly     incremented the IP ID field when sending a RST after     receiving unsolicited TCP SYN-ACK packets.

  - CVE-2006-1368     Shaun Tancheff discovered a buffer overflow (boundary     condition error) in the USB Gadget RNDIS implementation     allowing remote attackers to cause a DoS. While creating     a reply message, the driver allocated memory for the     reply data, but not for the reply structure. The kernel     fails to properly bounds-check user-supplied data before     copying it to an insufficiently sized memory buffer.
    Attackers could crash the system, or possibly execute     arbitrary machine code.

  - CVE-2006-1523     Oleg Nesterov reported an unsafe BUG_ON call in signal.c     which was introduced by RCU signal handling. The BUG_ON     code is protected by siglock while the code in     switch_exit_pids() uses tasklist_lock. It may be     possible for local users to exploit this to initiate a     denial of service attack (DoS).

  - CVE-2006-1524     Hugh Dickins discovered an issue in the madvise_remove()     function wherein file and mmap restrictions are not     followed, allowing local users to bypass IPC permissions     and replace portions of readonly tmpfs files with     zeroes.

  - CVE-2006-1525     Alexandra Kossovsky reported a NULL pointer dereference     condition in ip_route_input() that can be triggered by a     local user by requesting a route for a multicast IP     address, resulting in a denial of service (panic).

  - CVE-2006-1857     Vlad Yasevich reported a data validation issue in the     SCTP subsystem that may allow a remote user to overflow     a buffer using a badly formatted HB-ACK chunk, resulting     in a denial of service.

  - CVE-2006-1858     Vlad Yasevich reported a bug in the bounds checking code     in the SCTP subsystem that may allow a remote attacker     to trigger a denial of service attack when rounded     parameter lengths are used to calculate parameter     lengths instead of the actual values.

  - CVE-2006-1863     Mark Mosely discovered that chroots residing on an CIFS     share can be escaped with specially crafted 'cd'     sequences.

  - CVE-2006-1864     Mark Mosely discovered that chroots residing on an SMB     share can be escaped with specially crafted 'cd'     sequences.

  - CVE-2006-2271     The 'Mu security team' discovered that carefully crafted     ECNE chunks can cause a kernel crash by accessing     incorrect state stable entries in the SCTP networking     subsystem, which allows denial of service.

  - CVE-2006-2272     The 'Mu security team' discovered that fragmented SCTP     control chunks can trigger kernel panics, which allows     for denial of service attacks.

  - CVE-2006-2274     It was discovered that SCTP packets with two initial     bundled data packets can lead to infinite recursion,     which allows for denial of service attacks.

Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

This is the fourth regular update to Red Hat Enterprise Linux 4.

New features introduced in this update include :

* Device Mapper mirroring support

* IDE diskdump support

* x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements

* Itanium: perfmon support for Montecito

* much improved support for IBM x460

* AMD PowerNow! patches to support Opteron Rev G

* Vmalloc support > 64MB

The following device drivers have been upgraded to new versions :

ipmi: 33.11 to 33.13 ib_mthca: 0.06 to 0.08 bnx2: 1.4.30 to 1.4.38 bonding: 2.6.1 to 2.6.3 e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI e1000:
6.1.16-k3-NAPI to 7.0.33-k2-NAPI sky2: 0.13 to 1.1 tg3: 3.43-rh to 3.52-rh ipw2100: 1.1.0 to git-1.1.4 ipw2200: 1.0.0 to git-1.0.10 3w-9xxx: 2.26.02.001 to 2.26.04.010 ips: 7.10.18 to 7.12.02 iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3 lpfc: 0:8.0.16.18 to 0:8.0.16.27 megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1 qla2xxx: 8.01.02-d4 to 8.01.04-d7 qla6312: 8.01.02-d4 to 8.01.04-d7 sata_promise: 1.03 to 1.04 sata_vsc: 1.1 to 1.2 ibmvscsic: 1.5.5 to 1.5.6 ipr: 2.0.11.1 to 2.0.11.2

Added drivers :

dcdbas: 5.6.0-2 sata_mv: 0.6 sata_qstor: 0.05 sata_uli: 0.5 skge: 1.1 stex: 2.9.0.13 pdc_adma: 0.03

This update includes fixes for the security issues :

* a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate)

* a flaw in the ACL handling of nfsd that allowed a remote user to bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623, moderate)

* a flaw in the netfilter handling that allowed a local user with CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low)

* a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that allowed a local user to cause a denial of service (crash) or to retrieve random kernel data (CVE-2006-0456, important)

* a flaw in the keyctl functions that allowed a local user to cause a denial of service (crash) or to read sensitive kernel memory (CVE-2006-0457, important)

* a flaw in unaligned accesses handling on Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important)

* a flaw in SELinux ptrace logic that allowed a local user with ptrace permissions to change the tracer SID to a SID of another process (CVE-2006-1052, moderate)

* an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important)

* a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low)

* a minor info leak in socket option handling in the network code (CVE-2006-1343, low)

* a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to cause a denial of service (crash) (CVE-2006-1857, moderate)

* a flaw in the SCTP implementation that allowed a remote user to cause a denial of service (deadlock) (CVE-2006-2275, moderate)

* a flaw in the socket buffer handling that allowed a remote user to cause a denial of service (panic) (CVE-2006-2446, important)

* a flaw in the signal handling access checking on PowerPC that allowed a local user to cause a denial of service (crash) or read arbitrary kernel memory on 64-bit systems (CVE-2006-2448, important)

* a flaw in the netfilter SCTP module when receiving a chunkless packet that allowed a remote user to cause a denial of service (crash) (CVE-2006-2934, important)

There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4.

The remote host is running Kerio MailServer version 6.0.10 or lower.  There is a flaw in the remote version of this server that would allow an attacker to cause the application to fail.  While the details of the flaw are unknown, it is alledged that an attacker can launch the attack without any credentials and render the target service unavailable.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0575.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0437.

ID	Name	Product	Family	Published	Updated	Severity
22639	Debian DSA-1097-1 : kernel-source-2.4.27 - several vulnerabilities	Nessus	Debian Local Security Checks	10/14/2006	1/4/2021	critical
21070	Ubuntu 4.10 / 5.04 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-263-1)	Nessus	Ubuntu Local Security Checks	3/13/2006	1/19/2021	high
22086	RHEL 3 : kernel (RHSA-2006:0437)	Nessus	Red Hat Local Security Checks	7/21/2006	1/14/2021	high
21133	Mandrake Linux Security Advisory : kernel (MDKSA-2006:059)	Nessus	Mandriva Local Security Checks	3/23/2006	1/6/2021	high
22645	Debian DSA-1103-1 : kernel-source-2.6.8 - several vulnerabilities	Nessus	Debian Local Security Checks	10/14/2006	1/4/2021	critical
22135	CentOS 3 : kernel (CESA-2006:0437)	Nessus	CentOS Local Security Checks	8/4/2006	1/4/2021	high
22221	RHEL 4 : kernel (RHSA-2006:0575)	Nessus	Red Hat Local Security Checks	8/14/2006	1/14/2021	high
22276	CentOS 4 : kernel (CESA-2006:0575)	Nessus	CentOS Local Security Checks	8/30/2006	1/4/2021	high
3469	Kerio MailServer < 6.1.3 Patch 1 Remote DoS	Nessus Network Monitor	SMTP Servers	3/9/2006	3/6/2019	medium
801420	CentOS RHSA-2006-0575 Security Check	Log Correlation Engine	Generic			high
801417	CentOS RHSA-2006-0437 Security Check	Log Correlation Engine	Generic			high

Detections

Analytics

Plugins Search

critical

high

high

high

critical

high

high

high

medium

high

high