Mandrake Linux Security Advisory : kernel (MDKSA-2006:040)

2006-02-19T00:00:00
ID MANDRAKE_MDKSA-2006-040.NASL
Type nessus
Reporter Tenable
Modified 2015-01-09T00:00:00

Description

A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The udp_v6_get_port function in udp.c, when running IPv6, allows local users to cause a Denial of Service (infinite loop and crash) (CVE-2005-2973).

The mq_open system call in certain situations can decrement a counter twice as a result of multiple calls to the mntput function when the dentry_open function call fails, allowing a local user to cause a DoS (panic) via unspecified attack vectors (CVE-2005-3356).

The procfs code allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value (CVE-2005-4605).

A buffer overflow in sysctl allows local users to cause a DoS and possibly execute arbitrary code via a long string, which causes sysctl to write a zero byte outside the buffer (CVE-2005-4618).

A buffer overflow in the CA-driver for TwinHan DST Frontend/Card allows local users to cause a DoS (crash) and possibly execute arbitrary code by reading more than eight bytes into an eight byte long array (CVE-2005-4639).

dm-crypt does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key (CVE-2006-0095).

Remote attackers can cause a DoS via unknown attack vectors related to an 'extra dst release when ip_options_echo fails' in icmp.c (CVE-2006-0454).

In addition to these security fixes, other fixes have been included such as :

  • support for mptsas

    • fix for IPv6 with sis190

    • a problem with the time progressing twice as fast

    • a fix for Audigy 2 ZS Video Editor sample rates

    • a fix for a supermount crash when accessing a supermount-ed CD/DVD drive

  • a fix for improperly unloading sbp2 module

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2006:040. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(20939);
  script_version ("$Revision: 1.12 $");
  script_cvs_date("$Date: 2015/01/09 14:34:06 $");

  script_cve_id("CVE-2005-2973", "CVE-2005-3356", "CVE-2005-4605", "CVE-2005-4618", "CVE-2005-4639", "CVE-2006-0095", "CVE-2006-0454");
  script_xref(name:"MDKSA", value:"2006:040");

  script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2006:040)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandrake Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A number of vulnerabilities were discovered and corrected in the Linux
2.6 kernel :

The udp_v6_get_port function in udp.c, when running IPv6, allows local
users to cause a Denial of Service (infinite loop and crash)
(CVE-2005-2973).

The mq_open system call in certain situations can decrement a counter
twice as a result of multiple calls to the mntput function when the
dentry_open function call fails, allowing a local user to cause a DoS
(panic) via unspecified attack vectors (CVE-2005-3356).

The procfs code allows attackers to read sensitive kernel memory via
unspecified vectors in which a signed value is added to an unsigned
value (CVE-2005-4605).

A buffer overflow in sysctl allows local users to cause a DoS and
possibly execute arbitrary code via a long string, which causes sysctl
to write a zero byte outside the buffer (CVE-2005-4618).

A buffer overflow in the CA-driver for TwinHan DST Frontend/Card
allows local users to cause a DoS (crash) and possibly execute
arbitrary code by reading more than eight bytes into an eight byte
long array (CVE-2005-4639).

dm-crypt does not clear a structure before it is freed, which leads to
a memory disclosure that could allow local users to obtain sensitive
information about a cryptographic key (CVE-2006-0095).

Remote attackers can cause a DoS via unknown attack vectors related to
an 'extra dst release when ip_options_echo fails' in icmp.c
(CVE-2006-0454).

In addition to these security fixes, other fixes have been included
such as :

  - support for mptsas

    - fix for IPv6 with sis190

    - a problem with the time progressing twice as fast

    - a fix for Audigy 2 ZS Video Editor sample rates

    - a fix for a supermount crash when accessing a
      supermount-ed CD/DVD drive

  - a fix for improperly unloading sbp2 module

The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.12.17mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.12.17mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.12.17mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.12.17mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xbox-2.6.12.17mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xen0-2.6.12.17mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xenU-2.6.12.17mdk");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/02/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2015 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK2006.0", reference:"kernel-2.6.12.17mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i586-up-1GB-2.6.12.17mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.6.12.17mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-smp-2.6.12.17mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-source-2.6-2.6.12-17mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-source-stripped-2.6-2.6.12-17mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xbox-2.6.12.17mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xen0-2.6.12.17mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xenU-2.6.12.17mdk-1-1mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");