MiracleLinux 4 : kernel-2.6.32-71.14.1.el6 (AXSA:2011-57:01)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2011-57:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(284076);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/12");

  script_cve_id(
    "CVE-2010-2492",
    "CVE-2010-3067",
    "CVE-2010-3078",
    "CVE-2010-3080",
    "CVE-2010-3298",
    "CVE-2010-3477",
    "CVE-2010-3861",
    "CVE-2010-3865",
    "CVE-2010-3874",
    "CVE-2010-3876",
    "CVE-2010-3880",
    "CVE-2010-4072",
    "CVE-2010-4073",
    "CVE-2010-4074",
    "CVE-2010-4075",
    "CVE-2010-4077",
    "CVE-2010-4079",
    "CVE-2010-4080",
    "CVE-2010-4081",
    "CVE-2010-4082"
  );

  script_name(english:"MiracleLinux 4 : kernel-2.6.32-71.14.1.el6 (AXSA:2011-57:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2011-57:01 advisory.

    The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system.  The
    kernel handles the basic functions of the operating system: memory allocation, process allocation, device
    input and output, etc.
    Security issues:
    CVE-2010-2492
    Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the
    Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system
    crash) via unspecified vectors.
    CVE-2010-3067
    Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before
    2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified
    other impact via crafted use of the io_submit system call.
    CVE-2010-3078
    The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does
    not initialize a certain structure member, which allows local users to obtain potentially sensitive
    information from kernel stack memory via an ioctl call.
    CVE-2010-3080
    Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the
    Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have
    unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device.
    CVE-2010-3298
    The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not
    properly initialize a certain structure member, which allows local users to obtain potentially sensitive
    information from kernel stack memory via a TIOCGICOUNT ioctl call.
    CVE-2010-3477
    The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network
    queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain
    structure members, which allows local users to obtain potentially sensitive information from kernel memory
    via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2010-2942.
    CVE-2010-3861
    The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize
    a certain block of heap memory, which allows local users to obtain potentially sensitive information via
    an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than
    CVE-2010-2478.
    CVE-2010-3865
    Integer overflow in the rds_rdma_pages function in net/rds/rdma.c in the Linux kernel allows local users
    to cause a denial of service (crash) and possibly execute arbitrary code via a crafted iovec struct in a
    Reliable Datagram Sockets (RDS) request, which triggers a buffer overflow.
    CVE-2010-3874
    Heap-based buffer overflow in the bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the
    Controller Area Network (CAN) implementation in the Linux kernel before 2.6.36.2 on 64-bit platforms might
    allow local users to cause a denial of service (memory corruption) via a connect operation.
    CVE-2010-3876
    net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain
    structure members, which allows local users to obtain potentially sensitive information from kernel stack
    memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.
    CVE-2010-3880
    net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode,
    which allows local users to cause a denial of service (kernel infinite loop) via crafted
    INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as
    demonstrated by INET_DIAG_BC_JMP instructions.
    CVE-2010-4072
    The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a
    certain structure, which allows local users to obtain potentially sensitive information from kernel stack
    memory via vectors related to the shmctl system call and the old shm interface.
    CVE-2010-4073
    The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which
    allows local users to obtain potentially sensitive information from kernel stack memory via vectors
    related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in
    ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in
    ipc/compat_mq.c.
    CVE-2010-4074
    The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure
    members, which allows local users to obtain potentially sensitive information from kernel stack memory via
    vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in
    drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.
    CVE-2010-4075
    The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not
    properly initialize a certain structure member, which allows local users to obtain potentially sensitive
    information from kernel stack memory via a TIOCGICOUNT ioctl call.
    CVE-2010-4077
    The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does
    not properly initialize a certain structure member, which allows local users to obtain potentially
    sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.
    CVE-2010-4079
    The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does
    not properly initialize a certain structure member, which allows local users to obtain potentially
    sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.
    CVE-2010-4080
    The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does
    not initialize a certain structure, which allows local users to obtain potentially sensitive information
    from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.
    CVE-2010-4081
    The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does
    not initialize a certain structure, which allows local users to obtain potentially sensitive information
    from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.
    CVE-2010-4082
    The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5
    does not properly initialize a certain structure member, which allows local users to obtain potentially
    sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.
    CVE-2010-4083
    The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a
    certain structure, which allows local users to obtain potentially sensitive information from kernel stack
    memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.
    CVE-2010-4158
    The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether
    a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM
    instruction, which allows local users to obtain potentially sensitive information from kernel stack memory
    via a crafted socket filter.
    CVE-2010-4160
    Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2)
    l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux
    kernel before 2.6.36.2 allow local users to cause a denial of service (heap memory corruption and panic)
    or possibly gain privileges via a crafted sendto call.
    CVE-2010-4162
    Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6.36.2 allow local users to cause a
    denial of service (system crash) via a crafted device ioctl to a SCSI device.
    CVE-2010-4163
    The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.36.2 allows local users
    to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device.
    CVE-2010-4242
    The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel
    2.6.36, and possibly other versions, does not verify whether the tty has a write operation, which allows
    local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth
    driver.
    CVE-2010-4248
    Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows
    local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread
    group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread
    function in fs/exec.c.
    CVE-2010-4249
    The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125
    does not properly select times for garbage collection of inflight sockets, which allows local users to
    cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for
    SOCK_SEQPACKET sockets.
    CVE-2010-4263
    The igb_receive_skb function in drivers/net/igb/igb_main.c in the Intel Gigabit Ethernet (aka igb)
    subsystem in the Linux kernel before 2.6.34, when Single Root I/O Virtualization (SR-IOV) and promiscuous
    mode are enabled but no VLANs are registered, allows remote attackers to cause a denial of service (NULL
    pointer dereference and panic) and possibly have unspecified other impact via a VLAN tagged frame.
    CVE-2010-4525
    Linux kernel 2.6.33 and 2.6.34.y does not initialize the kvm_vcpu_events->interrupt.pad structure member,
    which allows local users to obtain potentially sensitive information from kernel stack memory via
    unspecified vectors.
    CVE-2010-4668
    The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local
    users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI
    device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2010-4163.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/1737");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3865");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2010-2492");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/07/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/02/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-firmware");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 4.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'kernel-2.6.32-71.14.1.el6', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-2.6.32-71.14.1.el6', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-debug-2.6.32-71.14.1.el6', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-debug-2.6.32-71.14.1.el6', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-devel-2.6.32-71.14.1.el6', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-devel-2.6.32-71.14.1.el6', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-firmware-2.6.32-71.14.1.el6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-headers-2.6.32-71.14.1.el6', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-headers-2.6.32-71.14.1.el6', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'perf-2.6.32-71.14.1.el6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-debug / kernel-devel / kernel-firmware / etc');
}